Wireshark-bugs: [Wireshark-bugs] [Bug 9686] New: editcap: excess parsing of input pcap files

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Wed, 22 Jan 2014 08:58:32 +0000
Bug ID 9686
Summary editcap: excess parsing of input pcap files
Classification Unclassified
Product Wireshark
Version 1.10.5
Hardware All
OS All
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Extras
Assignee [email protected]
Reporter [email protected] 

Created attachment 12495 [details]
enhancement: avoiding the unnecessary parsing

Build Information:
wireshark 1.10.5 (SVNRev 54262 from /trunk-1.10)

Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 3.8.6, with Cairo 1.12.16, with Pango 1.36.0, with
GLib 2.36.4, with libpcap, with libz 1.2.8, with POSIX capabilities (Linux),
without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2, without
Python,
with GnuTLS 2.12.23, with Gcrypt 1.5.3, with MIT Kerberos, with GeoIP, with
PortAudio V19-devel (built Oct  1 2013 23:28:12), with AirPcap.

Running on Linux 3.12-1-amd64, with locale en_GB.UTF-8, with libpcap version
1.5.2, with libz 1.2.8, GnuTLS 2.12.23, Gcrypt 1.5.3, without AirPcap.
        Intel(R) Core(TM) i5-2400 CPU @ 3.10GHz

Built using gcc 4.8.2.
--
Hi,

When I have a huge pcap file ("huge.pcap")
and I do this:

  editcap -r -F libpcap huge.pcap tiny.pcap 1

Then I get a correct pcap-file (tiny.pcap) although what is surprising is that
editcap goes through the whole input pcap-file instead of terminating right
after the first (and definitely the last) packet was produced.

I wonder, why is this?

That is, cannot editcap compute the maximum packet number (wrt. given
selections) and then, when it reaches that packet-number, regardless of how
many other packets there are in the origin input pcap-file, it would terminate?

-----------------------------------------------------------------------------

The attached patch file (against wireshark-1.10.5) is my attempt to modify
editcap so that it avoids excess parsing. When applied, then things like:

  editcap -r -F libpcap huge.pcap tiny.pcap 1
  editcap -r -F libpcap huge.pcap tiny.pcap 1-10
  editcap -r -F libpcap huge.pcap tiny.pcap 1-10 200-300

take the same time to complete regardless of the size of the input (huge.pcap)
file. (immeditelly after producing the 1-st, the 10-th, or 300-th packet
respectively).

You are receiving this mail because:
  • You are watching all bug changes.