On Thu, Jun 28, 2007 at 03:21:18PM +0900, Mitsuho Iizuka wrote: > > > > I would like to write scripts as follows, > > > > > > (tcp.ports != 400 && tcp.ports !=401 && .... && tcp.ports = 800) > > > > > > of course, port number is not sequencial. > > > > Are the frame numbers sequential? Is there a pattern to the tcp port > > numbers that you want to include/exclude? > > Frame numbers are not sequential. Those are many Load Balancer(LB) > helth check packets(1 packet/2 seconds) against LDAP on SSL, and > a few target packets I would like to analyze. My previous question > was a result to exclude unwanted packets. The pattern is helth > check packets failed to get SSL.alert because of bad exchange key > on LB. That's why all src.port packets have same port number > of SSL.alert packet. The port number above were extracted port > number including SSL.alert. Now I have 400 unwanted ports.
Healthchecks doen by LB's are usually done from their own IP-address while production traffic is either from the client-ip or the NATted address, which is usually different from the address that the health checks are sent from. But... this varies per LB-brand. If they are different, you can filter on the ip-addresses. Please note that you can use a filter like "!ip.addr==<ip-healtchchecks>" > > Actually, this has been raised to 500 in the latest SVN source code > > tree. > > Editcap does not have a feature to specify unwanted port from the > command line argument. tcpdump has a option above. However -w option > is different purpose. Anyway what is a good tool to include/exclude > packets with specific conditions against already obtained snoop file ? Exactly, editcap just takes frame-numbers or times as filters. But you can use tshark for your purpose like this: tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to keep>" If you have a complex filter and you are using tshark from unix (or cygwin), you could have the filter in a file and do: tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`" Hope this helps, Cheers, Sake _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
