Wireshark-bugs: [Wireshark-bugs] [Bug 9686] New: editcap: excess parsing of input pcap files
Bug ID |
9686
|
Summary |
editcap: excess parsing of input pcap files
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
1.10.5
|
Hardware |
All
|
OS |
All
|
Status |
UNCONFIRMED
|
Severity |
Enhancement
|
Priority |
Low
|
Component |
Extras
|
Assignee |
bugzilla-admin@wireshark.org
|
Reporter |
5764c029b688c1c0d24a2e97cd764f@gmail.com
|
Created attachment 12495 [details]
enhancement: avoiding the unnecessary parsing
Build Information:
wireshark 1.10.5 (SVNRev 54262 from /trunk-1.10)
Copyright 1998-2013 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 3.8.6, with Cairo 1.12.16, with Pango 1.36.0, with
GLib 2.36.4, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux),
without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without
Python,
with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Oct 1 2013 23:28:12), with AirPcap.
Running on Linux 3.12-1-amd64, with locale en_GB.UTF-8, with libpcap version
1.5.2, with libz 1.2.8, GnuTLS 2.12.23, Gcrypt 1.5.3, without AirPcap.
Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz
Built using gcc 4.8.2.
--
Hi,
When I have a huge pcap file ("huge.pcap")
and I do this:
editcap -r -F libpcap huge.pcap tiny.pcap 1
Then I get a correct pcap-file (tiny.pcap) although what is surprising is that
editcap goes through the whole input pcap-file instead of terminating right
after the first (and definitely the last) packet was produced.
I wonder, why is this?
That is, cannot editcap compute the maximum packet number (wrt. given
selections) and then, when it reaches that packet-number, regardless of how
many other packets there are in the origin input pcap-file, it would terminate?
-----------------------------------------------------------------------------
The attached patch file (against wireshark-1.10.5) is my attempt to modify
editcap so that it avoids excess parsing. When applied, then things like:
editcap -r -F libpcap huge.pcap tiny.pcap 1
editcap -r -F libpcap huge.pcap tiny.pcap 1-10
editcap -r -F libpcap huge.pcap tiny.pcap 1-10 200-300
take the same time to complete regardless of the size of the input (huge.pcap)
file. (immeditelly after producing the 1-st, the 10-th, or 300-th packet
respectively).
You are receiving this mail because:
- You are watching all bug changes.