On Tue, Jun 19, 2007 at 04:48:15PM -0400, Rob Campbell wrote:
>
> Just curious if this is a known issue or something that is out of
> your control.
> I noticed that some of the flows in my pcaps have nowhere near the
> expected number of packets after separating an individual flow using
> editcap.
>
> ie. editcap -r /pub/mypcap.pcap /pub/mysubcap.pcap 1-3 6-7 12-14 15-16
> 20-40 etc. etc.
>
> I have several pcaps I am analyzing that have flows that have 6000+
> packets, but they very spread out across the pcap resulting in only
> sets of 2-10 packets together.
How do you select these packet-ranges? Can't they be selected by a
display-filter? If they can, you could use the following syntax
to create the capture file which contains only the packets of
interest:
tshark -r <infile> -w <outfile> -R <display filter>
> I did some experimenting and the problem seems to lie in that editcap
> seems to only read the first 100 arguments (be it individual packet
> numbers or sets of packet numbers).
>
> Is this limit intentional or can it be removed? Is this a unix/linux
> limitation?
This is intentional, the following is from editcap.c:
static struct select_item selectfrm[100];
It means that there is only room for 100 "select-items". How many
would you need for your purpose? It might be changed in the source
code? Personally I think a hundred items should be sufficient, because
if I need to enter that many packet-ranges, I would try to find
some other way of selecting the packets needed (like the command
above).
Hope this helps, Cheers,
Sake