Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap fil

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: "George P Nychis" <gnychis@xxxxxxx>
Date: Tue, 14 Mar 2006 21:48:01 -0500 (EST)
It seems as though its only outputting the first packet for me...


gnychis@monster ~/school/15744/project/logs $ perl first_last scen1-comcast_to_ini-comcast.log output
gnychis@monster ~/school/15744/project/logs $ tethereal -r output -t ad
  1 2006-03-02 01:55:06.075098 192.168.1.112 -> 128.237.246.115 SSH Encrypted response packet len=48
gnychis@monster ~/school/15744/project/logs $

> #!/usr/bin/perl use strict; use Net::Pcap;
> 
> my $in_file = shift; my $out_file = shift;
> 
> my ($err, $pcap_in, $pcap_out, $pcap_t, $first_pkt, $last_pkt, $pkt, $i);
>  my %hdr; my $n = 0;
> 
> $pcap_in = Net::Pcap::open_offline($in_file, \$err); $pcap_out =
> Net::Pcap::dump_open($pcap_in, "$out_file");
> 
> my $first_pkt =  Net::Pcap::next($pcap_in, \%hdr); $pkt = $first_pkt;
> 
> Net::Pcap::dump($pcap_out, \%hdr, $pkt);
> 
> do { $last_pkt = $pkt; %last_hdr = %hdr; $pkt =  Net::Pcap::next($pcap_in,
> \%hdr); } while (defined $pkt);
> 
> Net::Pcap::dump($last_pkt, \%last_hdr, $last_pkt);
> 
> Net::Pcap::dump_close($pcap_out); Net::Pcap::close($pcap_in);
> 
> 
> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>> bahhh, i was hoping since libpcap files carried a header, the header
>> let it know something that would make this possible without doing
>> scenario 1) :)
>> 
>> I have huge files, i will benchmark and see how long suggestion 1 takes
>> per file
>> 
>> - George
>> 
>> 
>>> George P Nychis wrote:
>>> 
>>>> How can I output the first and last packets of a libpcap file with 
>>>> tethereal?
>>> 
>>> You can't, at least not in a simple fashion.  Tethereal is (by design
>>> and intent) a strict one-pass application, and it doesn't know a
>>> packet is the last packet until it tries to read the next packet and
>>> finds there isn't one, at which point it's too late.
>>> 
>>> You'd have to either
>>> 
>>> 1) read the file once to find out how many packets are in it, and
>>> then try a filter such as
>>> 
>>> frame.number == 1 || frame.number == {number of frames}
>>> 
>>> with {number of frames} replaced with the total number of frames in
>>> the capture
>>> 
>>> or
>>> 
>>> 2) read it into Ethereal, mark the first and last frames, and save
>>> the marked frames.
>>> 
>>> The ambitious reader could perhaps develop a shell script to automate
>>> the first of those suggestions. 
>>> _______________________________________________ Ethereal-users
>>> mailing list Ethereal-users@xxxxxxxxxxxx 
>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>> 
>>> 
>> 
>> 
>> --
>> 
>> _______________________________________________ Ethereal-users mailing
>> list Ethereal-users@xxxxxxxxxxxx 
>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>> 
> 
> 
> -- This information is top security. When you have read it, destroy
> yourself. -- Marshall McLuhan 
> _______________________________________________ Ethereal-users mailing
> list Ethereal-users@xxxxxxxxxxxx 
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 


--