Wireshark mailing list archives

editcap -B

From: Sake Blok <sake () euronet nl>
Date: Fri, 12 Nov 2010 15:03:17 +0100

Hello,

I ran into some unexpected behavior of editcap. The -A and -B options can be used to select e certain timerange from a 
capture file. I would have expected -B to *not* include packets that were seen in that particular second. Here is what 
I got:

sake@MacSake:/tmp$ editcap -A "2010-11-08 20:00:00" -B "2010-11-09 00:00:00" tmp.cap tmp2.cap
sake@MacSake:/tmp$ capinfos -Teca tmp*
File name       Number of packets       Start time      End time
tmp.cap 4500000 Mon Nov  8 19:52:42 2010        Tue Nov  9 00:00:37 2010
tmp2.cap        4364047 Mon Nov  8 20:00:00 2010        Tue Nov  9 00:00:00 2010
sake@MacSake:/tmp$ tshark -ta -r tmp2.cap | tail
4364038 23:59:56.440017  10.94.206.2 -> 224.0.0.2    HSRP Hello (state Active)
4364039 23:59:56.994172 00:19:2f:57:49:ea -> 01:00:0c:cc:cc:cd STP RST. Root = 4096/638/00:19:07:f5:24:00  Cost = 0  
Port = 0x83a3
4364040 23:59:57.112757  10.94.206.3 -> 224.0.0.2    HSRP Hello (state Standby)
4364041 23:59:58.994450 00:19:2f:57:49:ea -> 01:00:0c:cc:cc:cd STP RST. Root = 4096/638/00:19:07:f5:24:00  Cost = 0  
Port = 0x83a3
4364042 23:59:59.228845  10.94.206.3 -> 224.0.0.2    HSRP Advertise (state Passive)
4364043 23:59:59.372142  10.94.206.2 -> 224.0.0.2    HSRP Hello (state Active)
4364044 00:00:00.020821  10.94.206.3 -> 224.0.0.2    HSRP Hello (state Standby)
4364045 00:00:00.675857 78:e7:d1:f9:35:38 -> 00:1b:78:e2:cd:3a ARP Who has 10.94.206.170?  Tell 10.94.206.161
4364046 00:00:00.676047 00:1b:78:e2:cd:3a -> 78:e7:d1:f9:35:38 ARP 10.94.206.170 is at 00:1b:78:e2:cd:3a
4364047 00:00:00.995831 00:19:2f:57:49:ea -> 01:00:0c:cc:cc:cd STP RST. Root = 4096/638/00:19:07:f5:24:00  Cost = 0  
Port = 0x83a3
sake@MacSake:/tmp$ 

To me, it's illogical to include packet 4364044 to 4364047, as they would also be included when 'editcap -A "2010-11-09 
00:00:00" -B "2010-11-09 04:00:00"' would be used to generate the next interval (yes I know, intervals can be done with 
-i).

I would expect '-A "2010-11-08 20:00:00" -B "2010-11-09 00:00:00"' to mean: All packets with a timestamp starting at 
"2010-11-08 20:00:00" and *before* "2010-11-09 00:00:00".

Does anyone object to me changing (correcting) the current behavior of "-B" to what I would have expected?

Cheers,


Sake

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

editcap -B Sake Blok (Nov 12)
- Re: editcap -B Stephen Fisher (Nov 12)
  - Re: editcap -B Sake Blok (Nov 16)