hi there i want to apply a filter on pcap file to filter the RTP packets, but when i do that the packet number changes and starts from 1 . i know this should be like this, but i need to know the previous packet number, so i can modify the corresponding packet in the original pcap file . tnx asked 28 Aug '12, 07:51  reza |
3 Answers:
In reading this, I believe reza has filtered RTP packets from one capture file and saved those filtered RTP packets into a new capture file. In this case, the packets will be renumbered in the newly created capture file. I recall in a somewhat recent discussion, on -dev I think, that there was a desire to add this capability (being able to track things like original capture file frame numbers, etc.) using pcapng, but as far as I am aware, there is no support for this yet. I have added a bullet item to the pcapng wishlist. answered 28 Aug '12, 15:58  cmaynard ♦♦ |
it does not do that on my system (Win XP SP3) for Wireshark 1.6.x and 1.8.x, if I apply a display filter for an already opened pcap file!
However, it does 'renumber' the frames if you apply a display filter while opening a pcap file. If that is your problem, just open the whole file without filter and then apply the display filter. Regards answered 28 Aug '12, 11:13  Kurt Knochner ♦ edited 28 Aug '12, 11:23 |
I solved my problem by using the sequence number of packets instead of frame number, but having the feature to be able to track the original packet after applying a filter is very useful, tnx christopher answered 31 Aug '12, 14:48 reza |
Well, since Chris ahs put it on the Wishlist for pcanng features you might be lucky in the future :-)
One question, how should the packet numbers after two iterations of selective saving?
I supose this discussion should be held elsewhere but some sort of file history (display filters etc) has also been discussed, perhaps packet number over file iterations could be saved ( File 1, pkt x, File 2, pkt y ...) displaying the info in a meaningful way is another topic :-)