I'd like to write a filter that shows last 5 frames from all TCP streams in the capture (5 last frames from stream #1, 5 last frames from stream #2, ...). Is it possible? Thanks in advance!
asked 20 Jun '14, 18:58
edited 21 Jun '14, 19:40
Guy Harris ♦♦
You could write a Lua script to do this, if you want to automate it. You could either (1) write a Lua script to automatically build the appropriate display filter (i.e., a huge display filter of the correct frame numbers to display) and have the script also apply the filter, or (2) write a Lua script to create a new temporary pcap file of only the appropriate packets and have the script also load that temp file.
answered 24 Jun '14, 07:06
There is a manual way to do it, but it will only work for a few connections. So, how many of those connections do you have to look at?
Unfortunately, there is no automatic way in the current code, so you'll either have to implement that yourself or use external tools.
answered 22 Jun '14, 04:38
Kurt Knochner ♦
Thanks for the answer! In this particular case we're talking about hundreds of connections (otherwise I would have just looked at the conversations one by one).
(23 Jun '14, 08:15) sjlee
Since you have hundreds of connections you obviously need to automate this. If you are looking for an external tool that allows this kind of scripting, check out Unsniff. This blog post should help with your particular case http://www.unleashnetworks.com/blog/?p=627
Hope this helps.
(24 Jun '14, 06:17) VIVEKRJG
Unsniff sounds real interesting. I'll check it out. Thanks!
(24 Jun '14, 08:28) sjlee
are you asking for a method during the capturing phase (question title) or during the analysis phase (question text, as I understand it)?
What exactly are you trying to do with those last 5 frames?
Thanks for the comment. I'm asking for a method during the analysis phase. I'd like to look at all the frames just prior to connections being closed.