I certainly am not going to complain for all of your help :)
btw, your perl script beat "tethereal -r whatever.pcap -t ad > outfile && head -n 1 outfile && tail -n 1 outfile"
your perl script benchmarked 36 seconds, the script benchmarked 3 minutes and 47 seconds ;)
- George
> lin 25 was wrong: Net::Pcap::dump($pcap_out, \%last_hdr, $last_pkt);
>
> As you might have noticed I put it down without testing...
>
>
> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>> It seems as though its only outputting the first packet for me...
>>
>>
>> gnychis@monster ~/school/15744/project/logs $ perl first_last
>> scen1-comcast_to_ini-comcast.log output gnychis@monster
>> ~/school/15744/project/logs $ tethereal -r output -t ad 1 2006-03-02
>> 01:55:06.075098 192.168.1.112 -> 128.237.246.115 SSH Encrypted response
>> packet len=48 gnychis@monster ~/school/15744/project/logs $
>>
>>> #!/usr/bin/perl use strict; use Net::Pcap;
>>>
>>> my $in_file = shift; my $out_file = shift;
>>>
>>> my ($err, $pcap_in, $pcap_out, $pcap_t, $first_pkt, $last_pkt, $pkt,
>>> $i); my %hdr; my $n = 0;
>>>
>>> $pcap_in = Net::Pcap::open_offline($in_file, \$err); $pcap_out > >
>>> Net::Pcap::dump_open($pcap_in, "$out_file");
>>>
>>> my $first_pkt = Net::Pcap::next($pcap_in, \%hdr); $pkt = $first_pkt;
>>>
>>>
>>> Net::Pcap::dump($pcap_out, \%hdr, $pkt);
>>>
>>> do { $last_pkt = $pkt; %last_hdr = %hdr; $pkt =
>>> Net::Pcap::next($pcap_in, \%hdr); } while (defined $pkt);
>>>
>>> Net::Pcap::dump($last_pkt, \%last_hdr, $last_pkt);
>>>
>>> Net::Pcap::dump_close($pcap_out); Net::Pcap::close($pcap_in);
>>>
>>>
>>> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
>>>> bahhh, i was hoping since libpcap files carried a header, the
>>>> header let it know something that would make this possible without
>>>> doing scenario 1) :)
>>>>
>>>> I have huge files, i will benchmark and see how long suggestion 1
>>>> takes per file
>>>>
>>>> - George
>>>>
>>>>
>>>>> George P Nychis wrote:
>>>>>
>>>>>> How can I output the first and last packets of a libpcap file
>>>>>> with tethereal?
>>>>>
>>>>> You can't, at least not in a simple fashion. Tethereal is (by
>>>>> design and intent) a strict one-pass application, and it doesn't
>>>>> know a packet is the last packet until it tries to read the next
>>>>> packet and finds there isn't one, at which point it's too late.
>>>>>
>>>>> You'd have to either
>>>>>
>>>>> 1) read the file once to find out how many packets are in it, and
>>>>> then try a filter such as
>>>>>
>>>>> frame.number == 1 || frame.number == {number of frames}
>>>>>
>>>>> with {number of frames} replaced with the total number of frames
>>>>> in the capture
>>>>>
>>>>> or
>>>>>
>>>>> 2) read it into Ethereal, mark the first and last frames, and
>>>>> save the marked frames.
>>>>>
>>>>> The ambitious reader could perhaps develop a shell script to
>>>>> automate the first of those suggestions.
>>>>> _______________________________________________ Ethereal-users
>>>>> mailing list Ethereal-users@xxxxxxxxxxxx
>>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>
>>>> _______________________________________________ Ethereal-users
>>>> mailing list Ethereal-users@xxxxxxxxxxxx
>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>>
>>>
>>>
>>> -- This information is top security. When you have read it, destroy
>>> yourself. -- Marshall McLuhan
>>> _______________________________________________ Ethereal-users
>>> mailing list Ethereal-users@xxxxxxxxxxxx
>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>>
>>>
>>
>>
>> --
>>
>> _______________________________________________ Ethereal-users mailing
>> list Ethereal-users@xxxxxxxxxxxx
>> http://www.ethereal.com/mailman/listinfo/ethereal-users
>>
>
>
> -- This information is top security. When you have read it, destroy
> yourself. -- Marshall McLuhan
> _______________________________________________ Ethereal-users mailing
> list Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>
--