Wireshark · Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap file?

Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap fil

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "George P Nychis" <gnychis@xxxxxxx>

Date: Tue, 14 Mar 2006 21:20:50 -0500 (EST)

gnychis@monster ~/school/15744/project/logs $ perl first_last scen1-comcast_to_ini-comcast.log 
Global symbol "%last_hdr" requires explicit package name at first_last line 22.
Global symbol "%last_hdr" requires explicit package name at first_last line 26.
Execution of first_last aborted due to compilation errors.


> get it from CPAN and install it.
> 
> fastest way:
> 
> $ perl -MCPAN -e 'CPAN:shell' cpan> install Net::Pcap
> 
> 
> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>> By the way Luis, when i try to run the perl scripts it tells me I am
>> missing the Pcap library or something in perl:
>> 
>> Can't locate Net/Pcap.pm in @INC (@INC contains: /etc/perl
>> /usr/lib/perl5/site_perl/5.8.7/i686-linux-thread-multi
>> /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl
>> /usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.5
>> /usr/lib/perl5/vendor_perl/5.8.5/i686-linux-thread-multi
>> /usr/lib/perl5/vendor_perl/5.8.6
>> /usr/lib/perl5/vendor_perl/5.8.6/i686-linux-thread-multi
>> /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.7/i686-linux-thread-multi
>> /usr/lib/perl5/5.8.7 /usr/local/lib/site_perl .) at first_last line 3.
>> 
>> I've never worked with perl before really, where can i read about
>> installing this missing stuff?
>> 
>>> #!/usr/bin/perl use strict; use Net::Pcap;
>>> 
>>> my $in_file = shift; my $out_file = shift;
>>> 
>>> my ($err, $pcap_in, $pcap_out, $pcap_t, $first_pkt, $last_pkt, $pkt,
>>> $i); my %hdr; my $n = 0;
>>> 
>>> $pcap_in = Net::Pcap::open_offline($in_file, \$err); $pcap_out > >
>>> Net::Pcap::dump_open($pcap_in, "$out_file");
>>> 
>>> my $first_pkt =  Net::Pcap::next($pcap_in, \%hdr); $pkt = $first_pkt;
>>> 
>>> 
>>> Net::Pcap::dump($pcap_out, \%hdr, $pkt);
>>> 
>>> do { $last_pkt = $pkt; %last_hdr = %hdr; $pkt =
>>> Net::Pcap::next($pcap_in, \%hdr); } while (defined $pkt);
>>> 
>>> Net::Pcap::dump($last_pkt, \%last_hdr, $last_pkt);
>>> 
>>> Net::Pcap::dump_close($pcap_out); Net::Pcap::close($pcap_in);
>>> 
>>> 
>>> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>>>> bahhh, i was hoping since libpcap files carried a header, the
>>>> header let it know something that would make this possible without
>>>> doing scenario 1) :)
>>>> 
>>>> I have huge files, i will benchmark and see how long suggestion 1
>>>> takes per file
>>>> 
>>>> - George
>>>> 
>>>> 
>>>>> George P Nychis wrote:
>>>>> 
>>>>>> How can I output the first and last packets of a libpcap file
>>>>>> with tethereal?
>>>>> 
>>>>> You can't, at least not in a simple fashion.  Tethereal is (by
>>>>> design and intent) a strict one-pass application, and it doesn't
>>>>> know a packet is the last packet until it tries to read the next
>>>>> packet and finds there isn't one, at which point it's too late.
>>>>> 
>>>>> You'd have to either
>>>>> 
>>>>> 1) read the file once to find out how many packets are in it, and
>>>>>  then try a filter such as
>>>>> 
>>>>> frame.number == 1 || frame.number == {number of frames}
>>>>> 
>>>>> with {number of frames} replaced with the total number of frames
>>>>> in the capture
>>>>> 
>>>>> or
>>>>> 
>>>>> 2) read it into Ethereal, mark the first and last frames, and
>>>>> save the marked frames.
>>>>> 
>>>>> The ambitious reader could perhaps develop a shell script to
>>>>> automate the first of those suggestions. 
>>>>> _______________________________________________ Ethereal-users 
>>>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> 
>>>> _______________________________________________ Ethereal-users
>>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>> 
>>> 
>>> 
>>> -- This information is top security. When you have read it, destroy 
>>> yourself. -- Marshall McLuhan 
>>> _______________________________________________ Ethereal-users
>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>> 
>>> 
>> 
>> 
>> --
>> 
>> _______________________________________________ Ethereal-users mailing
>> list Ethereal-users@xxxxxxxxxxxx 
>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>> 
> 
> 
> -- This information is top security. When you have read it, destroy
> yourself. -- Marshall McLuhan 
> _______________________________________________ Ethereal-users mailing
> list Ethereal-users@xxxxxxxxxxxx 
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 


--

Follow-Ups:
- Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: LEGO

References:
- [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: George P Nychis
- Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: Guy Harris
- Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: George P Nychis
- Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: LEGO
- Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: George P Nychis
- Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
  - From: LEGO

Prev by Date: Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
Next by Date: Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
Previous by thread: Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
Next by thread: Re: [Ethereal-users] how to output only first and last packets of a libpcap file?
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$