Wireshark-dev: Re: [Wireshark-dev] 90GB pcap file get last frame time stamp

From: Josh Clark <josh@xxxxxxxxxxxx>
Date: Fri, 26 Feb 2021 12:50:01 -0500
I tried to respond, but used the wrong email somehow. Here's the text of it

The tricky part of it is how the PCAP headers are structured. If you look at the packet header format, there's nothing that by default says that it's a packet header. So to make sure we can return the timestamp of the last packet, we are required to touch the header of every single packet, read in the packet size, and then skip to the next packet header.

Writing a specialized script to do this may get you a bit better performance than running capinfo. I have some sample code in Python (https://github.com/je-clark/DFC19-PacketAnalysis/blob/master/PacketAnalysisWithPython.ipynb) that may be useful.

Global Header Format

typedef struct pcap_hdr_s {
        guint32 magic_number;   /* magic number */
        guint16 version_major;  /* major version number */
        guint16 version_minor;  /* minor version number */
        gint32  thiszone;       /* GMT to local correction */
        guint32 sigfigs;        /* accuracy of timestamps */
        guint32 snaplen;        /* max length of captured packets, in octets */
        guint32 network;        /* data link type */
} pcap_hdr_t;



Packet Header Format

typedef struct pcaprec_hdr_s {
        guint32 ts_sec;         /* timestamp seconds */
        guint32 ts_usec;        /* timestamp microseconds */
        guint32 incl_len;       /* number of octets of packet saved in file */
        guint32 orig_len;       /* actual length of packet */
} pcaprec_hdr_t;





On Fri, Feb 26, 2021 at 12:42 PM Richard Sharpe <realrichardsharpe@xxxxxxxxx> wrote:
On Fri, Feb 26, 2021 at 9:10 AM Raj sekar <mrajsekar@xxxxxxxxx> wrote:
>
> Hi Everyone!
>
> Need a help. Is there any library or method to get large pcap file's( offline ) last timestamp.
>
> I know capinfos can get this. But i want faster than capinfos.
>
> Any suggestion?

Because each captured frame can be a different length, normally you
would have to skip all the preceding frames to get the timestamp of
the last record.

However, a heuristic approach might be to read the header to get the
capture-length, and then read that much from the end of the file and
look for an appropriate record header ...

On the other hand, I am unaware of any code that does that.

--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)(传说杜康是酒的发明者)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe