Tom Thotus wrote:
When two traces (inside and outside of a firewall) are merged, they are
both the same color. I see that there is a place to manage colors, but
can't find a way to have the inside and outside traces be two different
colors in the merged trace. This would greatly aid analyzing the traces
together. Do you know of a way to do this
If you merge traces, packets are not tagged by the capture file they
came from, so you can't do it based on that - the information as to
which file the packet came from isn't available.
If, however, there's some other characteristic in the packet data
itself, e.g. to or from addresses, it might be possible to use that.
or if the feature is planned for a future release?
The next generation of libpcap file format would allow packets to be
tagged by the interface on which they're captured, and mergecap could
preserve that tagging (although it might have to have an option to
control what to do if the two captures have interfaces with the same
name - should it default to assuming they're on different machines, and
thus different interfaces, and add an option to cause them to be treated
as the same interface?).
This isn't "planned" in the sense that it's scheduled for a particular
release (we don't have any roadmaps with schedules), but it'll probably
appear at some point after the new libpcap file format is finished
(there's no roadmap for that, either).
