Could wireshark use the import facility of XML or some king of entity relationship so that pdml files do not become unordinately big? ~ I think tcpflow works that way. It only keeps active open connections and close the file with the particular data once the connection is closed. ~ Thank you lbrtchx asked 21 Oct '11, 06:26 Albretch Mue... |
One Answer:
This is where Wireshark and tcpflow differ. While tcpflow just concerned with TCP flows, Wireshark goes beyond that and works on every frame seen on the network. You may want to limit your output by filter ing your capture before saving it as PDML. answered 21 Oct '11, 07:31 Jaap ♦ |
Well, "beyond" you say?
~
How is it that your answer relate to my question?
~I see that wireshark is more like a network traffic viewer (using the output sniffed by tcpdump), but it would be nice if it would somehow craft PDML files in a way that, even while working on "every frame seen on the network" it would, in a more orthodox MVC way, let users easily only -open- and view what they want
~I think the functionality is there (it is like -opening for viewing- only what you need instead of "working on every packet" and then letting users "select" what they need to view). Probably a few changes in the code would achieve this. This is how it would functional stack up:
~1) tcpdum sniffs network traffic
~2) > > a la tcpflow, files and their metadata would be separately captured < <
~3) wireshark would use (2)'s metadata to select and only view what one needs
~I could reword my initial question: How do people do if they need to keep a viewer open for long periods of time to only watch certain packets without making the capture files prohibitively large?
~lbrtchx
There are other tools for that.