Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 14 Mar 2006 17:48:31 -0800
George P Nychis wrote:


How can I output the first and last packets of a libpcap file with tethereal?
You can't, at least not in a simple fashion. Tethereal is (by design and intent) a strict one-pass application, and it doesn't know a packet is the last packet until it tries to read the next packet and finds there isn't one, at which point it's too late. 

You'd have to either
1) read the file once to find out how many packets are in it, and then try a filter such as 

		frame.number == 1 || frame.number == {number of frames}
with {number of frames} replaced with the total number of frames in the capture 

or
2) read it into Ethereal, mark the first and last frames, and save the marked frames.
The ambitious reader could perhaps develop a shell script to automate the first of those suggestions.