Re: [Wireshark-commits] rev 51854: /trunk/ /trunk/doc/: editcap.pod /trunk/: editcap.c

["Maynard, Chris" <Christopher.Maynard () GTECH COM>]

Please note that we actually have up to 2 regions that can be chopped in a single pass by using multiple -C options (1 
region specified by the positive length and the other region specified by the negative length).  However, one must 
ensure that the region specified by the positive length does not cross the region specified by the negative length; 
otherwise, nothing will be chopped since we're being told to retain all bytes specified by the offsets.

For example, given the following 75 byte packet, suppose we want to chop the 2 regions marked 10 and 20 in a single 
pass.

    <--------------------------- 75 ---------------------------->

    +---+-------+-----------+---------------+-------------------+
    | 5 |   10  |     15    |       20      |         25        |
    +---+-------+-----------+---------------+-------------------+

There are only 4 ways to successfully achieve this:
1) editcap -C 5:10 -C -25:-20 in.pcap out.pcap
2) editcap -C 5:10 -C 50:-20 in.pcap out.pcap
3) editcap -C -70:10 -C -25:-20 in.pcap out.pcap
4) editcap -C -70:10 -C 50:-20 in.pcap out.pcap

For clarity, these are the other methods, which will NOT work:
1) editcap -C 30:20 -C -60:-10 in.pcap out.pcap
2) editcap -C 30:20 -C 15:-10 in.pcap out.pcap
3) editcap -C -45:20 -C -60:-10 in.pcap out.pcap
4) editcap -C -45:20 -C 15:-10 in.pcap out.pcap

Using the 1st invalid example, the reason why it fails is because we're being told to specifically retain the 1st 30 
bytes, but unfortunately, we're also told to specifically retain the last 60 bytes.  What this effectively says is to 
retain 80 bytes.  While we don't even have 80 bytes, it obviously means that we're going to retain all 75 bytes of the 
packet.  Compare that to the 1st valid example where we're only told to retain 30 bytes - the 1st 5 bytes and the last 
25 bytes, so we have up to 45 bytes available for chopping there, of which we chop 30 (from 2 different regions - 10 
from one region and 20 from the other).

I'm not sure this is entirely clear from the documentation, but I didn't want to write a novel explaining this.  
Clarification suggestions are welcome!
- Chris

-----Original Message-----
From: wireshark-commits-bounces () wireshark org [mailto:wireshark-commits-bounces () wireshark org] On Behalf Of 
cmaynard () wireshark org
Sent: Sunday, September 08, 2013 9:04 PM
To: wireshark-commits () wireshark org
Subject: [Wireshark-commits] rev 51854: /trunk/ /trunk/doc/: editcap.pod /trunk/: editcap.c

http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=51854

User: cmaynard
Date: 2013/09/08 06:04 PM

Log:
 OK, allow either positive or negative offsets no matter if we're chopping from the beginning or the end.

 Given the following example, it's now possible to chop the 10 bytes depicted from the 100 byte packet 4 different ways 
and achieve the exact same results:

     <-------- 100 -------->       Methods:
                                                1) editcap -C 20:10 in.pcap out.pcap
     +------+----+---------+       2) editcap -C -80:10 in.pcap out.pcap
     |  20    | 10 |   70       |        3) editcap -C -70:-10 in.pcap out.pcap
     +------+----+---------+       4) editcap -C 30:-10 in.pcap out.pcap

Directory: /trunk/doc/
  Changes    Path           Action
  +2 -2      editcap.pod    Modified

Directory: /trunk/
  Changes    Path          Action
  +37 -30    editcap.c     Modified

































--


CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended 
recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, 
distribution or copying of this communication is strictly prohibited. If you have received this communication in error, 
please immediately delete it from your system and notify the sender by replying to this email.  Thank you.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe