Wireshark · Wireshark-users: Re: [Wireshark-users] Editcap 100 argument limitation? (Jeff Morriss)

Wireshark-users: Re: [Wireshark-users] Editcap 100 argument limitation? (Jeff Morriss)

From: "Rob Campbell" <a.robcampbell@xxxxxxxxx>

Date: Fri, 22 Jun 2007 08:24:24 -0400


Message: 2
Date: Wed, 20 Jun 2007 16:06:25 -0400
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Subject: Re: [Wireshark-users] Editcap 100 argument limitation?
To: Community support list for Wireshark
       <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <467988C1.7030803@xxxxxxxxxxx>
Content-Type: text/plain; charset=UTF-8; format=flowed



Stephen Fisher wrote:
> On Tue, Jun 19, 2007 at 04:48:15PM -0400, Rob Campbell wrote:
>
>> I did some experimenting and the problem seems to lie in that editcap
>> seems to only read the first 100 arguments (be it individual packet
>> numbers or sets of packet numbers).
>>
>> Is this limit intentional or can it be removed?  Is this a unix/linux
>> limitation?
>
> This is an arbitrary limit compiled into the editcap program:
>
> Line 109 of editcap.c:
>
>   static struct select_item selectfrm[100];
>
> How many arguments do you need to pass to editcap?  We could look into
> changing this limit or removing it entirely to make it dynamically
> allocate space for as many arguments as fit on the command-line.

I went ahead and (in rev 22145) increased the size of the array (up to
512).  If that's not enough we can always go to a dynamically sized
array, but that seems like overkill to me (now).

More importantly, I also made 'editcap' tell you when it runs out of
room for packet selections.


Thanks Jeff!  512 should be tons.  I was unaware of the ability to
use tethereal/tshark to read in from one pcap and output to a
different file using a wireshark display filter.

 I was using tethereal to dump the pcaps to XML/Text and then parsing
the XML/Text files collecting all of the packet numbers that belonged
to a flow based on IP/Port information, and then using regular
expressions I was creating the sets of packet numbers to allow me for
than 100 packets.  Everything was done using tcl scripts so it's not
like I was manually entering 100 arguments or anything, but the silent
failure when it hit the 100 argument mark took me a little while to
figure out :)

 Had I have known that tethereal could do it for me by just passing
it the IP/Port information as a filter than I likely would never have
needed this, but reporting that it hit the limit is definately a great
improvement as I'm sure someone will hit this again.

Thanks again,
Rob


---------------------------------------
Rob Campbell
a.robcampbell@xxxxxxxxx

Prev by Date: Re: [Wireshark-users] MATE transformations
Next by Date: Re: [Wireshark-users] MATE transformations
Previous by thread: [Wireshark-users] decode 16khz Voip
Next by thread: [Wireshark-users] Wireshark 0.99.6pre1 is now available
Index(es):
- Date
- Thread