Re: searching pcap file
Re: searching pcap file
- Subject: Re: searching pcap file
- From: Quinn The Eskimo! <email@hidden>
- Date: Thu, 03 Sep 2015 15:38:52 +0100
On 3 Sep 2015, at 14:53, Scott Ribe <email@hidden> wrote:
> No, custom protocol, binary, compressed. I have no interest in the contents of packets.
But TCP, right?
I presume this means that the protocol is strictly request/response, that is, there's no pipelining, command queue, multiplexing, or whatever.
Furthermore, each request and response must necessarily fit into a single TCP segment, otherwise you will /have/ to look at the contents of the packets to find the request boundaries.
I must admit that I tend to use ad hoc means for this sort of thing. One of my favourite tricks is to use tshark to convert the packets to XML (PDML) and then run queries on the XML.
I keep meaning to write a tool to convert PDML to SQLite so that I can run complex queries on traces, but I've never got around to it (then again, a quick 'net search reveals I'm /far/ from the first person to think of this).
Share and Enjoy
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden