Tony,
> Is there a easy way I can remove or 'unmark' duplicate IP
> frames in a capture file? I currently have a trace file with
> lots of packets that are duplicated. I know they are
> duplicates because the IP SRC, dest, length, id etc all match
> - the frames match exactly all levels except for the
> timestamp which has a
> delta of 0.000001 or lower.
Here's an off-the-cuff perl script which I hope goes some way to solve
your problem. It works trivially on the traces I have, but I can't
easily construct a trace with duplicates (editcap -r t.cap t2.cap 1-2
2-3 3-4 doesn't work as I expected).
I'm not sure how editcap will handle thousands of numbers entered on the
command line. But there's no reason why you can't write a loop around
this to repeat this process once you hit the command line maximum.
See also
http://ethereal.ntop.org/lists/ethereal-users/200303/msg00202.html for
some comments on why this approach may not be fool proof. (Although this
question related to the much harder problem of syncing two traces taken
at different points in the network).
<SNIP>
use strict;
use warnings;
die "Usage: ethdedup.pl trace.cap" unless $ARGV[0];
my $epsilon= 0.000001; # Assume within 1us is the same time;
$/="\n\n"; # Records are paragraphs
open IN, "tethereal -x -r $ARGV[0] |"
or die "Cannot run tethereal $!";
my $prev_time=0;
my $prev_description="";
my $prev_hextext="";
my @to_kill=();
while (not eof IN) {
defined($_= <IN>) or last;
s/^\s+//g; # remove leading spaces
my ($fnum, $time, $description) = split(/ +/,$_,3);
defined(my $hextext = <IN>) or last;
push @to_kill,$ fnum if (
($time - $prev_time < $epsilon ) and
($prev_description eq $description) and
($prev_hextext eq $hextext)
);
($prev_description, $prev_hextext,$prev_time) =
($description, $hextext,$time);
last if @to_kill > 100; # Adjust as necessary
}
if (@to_kill) {
my $cmd = "editcap $ARGV[0].cap $ARGV[0]_dedup.cap ".
join(" ",@to_kill);
print "Perhaps this command would work\n$cmd";
#system $cmd;
} else {
print "No duplicate frames detected"
}
__END__
-----------------------------------------------------------------------
Registered Office:
Marks & Spencer p.l.c
Michael House, Baker Street,
London, W1U 8EP
Registered No. 214436 in England and Wales.
Telephone (020) 7935 4422
Facsimile (020) 7487 2670
www.marksandspencer.com
Please note that electronic mail may be monitored.
This e-mail is confidential. If you received it by mistake, please let us know and then delete it from your system; you should not copy, disclose, or distribute its contents to anyone nor act in reliance on this e-mail, as this is prohibited and may be unlawful.
The registered office of Marks and Spencer Financial Services PLC, Marks and Spencer Unit Trust Management Limited, Marks and Spencer Life Assurance Limited and Marks and Spencer Savings and Investments Limited is Kings Meadow, Chester, CH99 9FB. These firms are authorised and regulated by the Financial Services Authority.