ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Ethereal-users: Re: [ethereal-users] Ethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxxxxx>
Date: Tue, 9 May 2000 23:21:06 -0700
On Tue, May 09, 2000 at 02:10:13PM +0200, Anders Larsson wrote:
> I was wondering if u plan to add sort by ip?

I've just now checked in Graham Bloice's change to allow sorting the
packet list by any column, although that lets you sort by the source or
destination address as a string, and not all packets necessarily have an
IP source and destination address (e.g., ARP packets).

> And if u can show only one tcp stream of the ip that was accesed? not
> all streams, hope u understand my question :)

I'm not sure I do.

Currently, if the currently-selected packet in the list of packets is
part of a TCP connection, you can either select the "Tools->Follow TCP
Stream" menu item from the menu bar, or "Follow TCP Stream" from the
right-mouse-button menu, and

	1) a window containing the data in all TCP packets between the
	   IP addresses and ports in that packet will be popped up;

	2) the display will be filtered to show only those packets.

That won't show TCP streams between other IP address/port pairs.

*However*, it *will* show all TCP streams between those two IP addresses
and ports, not just the one to which the currently-selected packet
belongs.

Is that the issue you're thinking of?

I've been thinking about having the first pass through the capture,
which reads all packets in order:

	1) create a data structure for each TCP connection it sees,
	   *including creating a new one if it sees an initial SYN
	   following a final FIN for a connection with the same IP
	   addresses and ports* (i.e., maintaining connection state);

	2) attaching to each TCP packet (using the stuff Richard
	   Sharpe put in, assuming Richard thinks it's ready to start
	   using) a reference to the connection to which that packet
	   belongs;

	3) having the "Follow TCP Stream" stuff include only packets
	   with the same connection pointer as the one the currently
	   selected packet has (which would arrange that it show *only*
	   that connection, not other connections between the same IP
	   addresses and ports).

> if i click in the capture, like in the packet in new window..
> it got an + that u can see more info, is it possible to do that in the
> capture window?

Which window are you referring to as the capture window here?

The "[+]" boxes only show up in the protocol-dissection (middle) pane;
there's no way to "open up" packets in the packet list (top) pane.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube