Wireshark-users: Re: [Wireshark-users] editcap question

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Wed, 22 Jan 2014 08:38:10 +0100
Hi,

Looks interesting enough. Usually patches are handled through our bug tracking
system, so that they don't get lost. You may want to do the same.

Thanks,
Jaap


On 01/21/2014 07:07 PM, Matej Kosik wrote:
> Hi,
> 
> When I have a huge pcap file ("huge.pcap")
> and I do this:
> 
>   editcap -r -F libpcap huge.pcap tiny.pcap 1
> 
> Then I get a correct pcap-file (tiny.pcap)
> although what is surprising is that editcap goes through the whole input pcap-file
> instead of terminating right after the first (and definitely the last) packet was produced.
> 
> I wonder, why is this?
> 
> That is, cannot editcap compute the maximum packet number (wrt. given selections) and then,
> when it reaches that packet-number, regardless of how many other packets there are in the origin input pcap-file,
> it would terminate?
> 
> -------------------------------------------------------------------------------------
> 
> The attached patch file (against wireshark-1.10.5)
> is my attempt to modify editcap so that it avoids excess parsing.
> When applied, then things like:
> 
>   editcap -r -F libpcap huge.pcap tiny.pcap 1
>   editcap -r -F libpcap huge.pcap tiny.pcap 1-10
>   editcap -r -F libpcap huge.pcap tiny.pcap 1-10 200-300
> 
> take the same time to complete regardless of the size of the input (huge.pcap) file.
> (immeditelly after producing the 1-st, the 10-th, or 300-th packet respectively).
> 
> 
>