Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: LEGO <luis.ontanon@xxxxxxxxx>
Date: Wed, 15 Mar 2006 03:01:43 +0100
#!/usr/bin/perl
use strict;
use Net::Pcap;

my $in_file = shift;
my $out_file = shift;

my ($err, $pcap_in, $pcap_out, $pcap_t, $first_pkt, $last_pkt, $pkt, $i);
my %hdr;
my $n = 0;

$pcap_in = Net::Pcap::open_offline($in_file, \$err);
$pcap_out = Net::Pcap::dump_open($pcap_in, "$out_file");

my $first_pkt =  Net::Pcap::next($pcap_in, \%hdr);
$pkt = $first_pkt;

Net::Pcap::dump($pcap_out, \%hdr, $pkt);

do {
		$last_pkt = $pkt;
		%last_hdr = %hdr;
        $pkt =  Net::Pcap::next($pcap_in, \%hdr);
} while (defined $pkt);

Net::Pcap::dump($last_pkt, \%last_hdr, $last_pkt);

Net::Pcap::dump_close($pcap_out);
Net::Pcap::close($pcap_in);


On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
> bahhh, i was hoping since libpcap files carried a header, the header let it know something that would make this possible without doing scenario 1) :)
>
> I have huge files, i will benchmark and see how long suggestion 1 takes per file
>
> - George
>
>
> > George P Nychis wrote:
> >
> >> How can I output the first and last packets of a libpcap file with
> >> tethereal?
> >
> > You can't, at least not in a simple fashion.  Tethereal is (by design and
> > intent) a strict one-pass application, and it doesn't know a packet is the
> > last packet until it tries to read the next packet and finds there isn't
> > one, at which point it's too late.
> >
> > You'd have to either
> >
> > 1) read the file once to find out how many packets are in it, and then try
> > a filter such as
> >
> > frame.number == 1 || frame.number == {number of frames}
> >
> > with {number of frames} replaced with the total number of frames in the
> > capture
> >
> > or
> >
> > 2) read it into Ethereal, mark the first and last frames, and save the
> > marked frames.
> >
> > The ambitious reader could perhaps develop a shell script to automate the
> > first of those suggestions.
> > _______________________________________________ Ethereal-users mailing
> > list Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
>
>
> --
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>


--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan