hi,
From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?
Date: Wed, 27 Jun 2007 21:52:38 -0700
> > I would like to write scripts as follows,
> >
> > (tcp.ports != 400 && tcp.ports !=401 && .... && tcp.ports = 800)
> >
> > of course, port number is not sequencial.
>
> Are the frame numbers sequential? Is there a pattern to the tcp port
> numbers that you want to include/exclude?
Frame numbers are not sequential. Those are many Load Balancer(LB)
helth check packets(1 packet/2 seconds) against LDAP on SSL, and
a few target packets I would like to analyze. My previous question
was a result to exclude unwanted packets. The pattern is helth
check packets failed to get SSL.alert because of bad exchange key
on LB. That's why all src.port packets have same port number
of SSL.alert packet. The port number above were extracted port
number including SSL.alert. Now I have 400 unwanted ports.
> Actually, this has been raised to 500 in the latest SVN source code
> tree.
Editcap does not have a feature to specify unwanted port from the
command line argument. tcpdump has a option above. However -w option
is different purpose. Anyway what is a good tool to include/exclude
packets with specific conditions against already obtained snoop file ?
Thanks in advance.
Regards,
// Mitsuho Iizuka
// AP Server Grp., 2nd System Software Div.,
// System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp.
// Phone:+81-3-3456-4322
