Home page logo
/

wireshark logo Wireshark mailing list archives

Save meta data to pcap-ng file during first pass dissection in Wireshark?
From: Anders Broman <anders.broman () ericsson com>
Date: Wed, 23 Jan 2013 08:53:44 +0000

Hi,
Would it be feasible to have wireshark write packets out to a new file as they are analyzed during the first pass and 
read packets in from that
File for the rest of the session. By doing that reassembled packets could be stored in the pcap-ng packet block as a 
new option instead of
In memory and read back in together with the frame and stored (pointed to) in the fdata structure. Other metadata could 
probably be stored too in order to
Speed up filtering. The new file should have some marking that the first pass analysis is done and some stuff can be 
skiped if this file is read back in or
Reanalysed if the user so decides as all the original data should be retained. I'm sure there a pitfals in this kind of 
strategy but are there any major
Reasons why this cant/shouldn't be done? Comments? Ideas?

Best regards
Anders

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault