Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap fil

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "George P Nychis" <gnychis@xxxxxxx>
Date: Tue, 14 Mar 2006 20:50:59 -0500 (EST)
bahhh, i was hoping since libpcap files carried a header, the header let it know something that would make this possible without doing scenario 1) :)

I have huge files, i will benchmark and see how long suggestion 1 takes per file

- George


> George P Nychis wrote:
> 
>> How can I output the first and last packets of a libpcap file with
>> tethereal?
> 
> You can't, at least not in a simple fashion.  Tethereal is (by design and
> intent) a strict one-pass application, and it doesn't know a packet is the
> last packet until it tries to read the next packet and finds there isn't
> one, at which point it's too late.
> 
> You'd have to either
> 
> 1) read the file once to find out how many packets are in it, and then try
> a filter such as
> 
> frame.number == 1 || frame.number == {number of frames}
> 
> with {number of frames} replaced with the total number of frames in the
> capture
> 
> or
> 
> 2) read it into Ethereal, mark the first and last frames, and save the 
> marked frames.
> 
> The ambitious reader could perhaps develop a shell script to automate the
> first of those suggestions. 
> _______________________________________________ Ethereal-users mailing
> list Ethereal-users@xxxxxxxxxxxx 
> http://www.ethereal.com/mailman/listinfo/ethereal-users
> 
> 


--