Wireshark mailing list archives
editcap question
From: Matej Kosik <5764c029b688c1c0d24a2e97cd764f () gmail com>
Date: Tue, 21 Jan 2014 18:07:34 +0000
Hi, When I have a huge pcap file ("huge.pcap") and I do this: editcap -r -F libpcap huge.pcap tiny.pcap 1 Then I get a correct pcap-file (tiny.pcap) although what is surprising is that editcap goes through the whole input pcap-file instead of terminating right after the first (and definitely the last) packet was produced. I wonder, why is this? That is, cannot editcap compute the maximum packet number (wrt. given selections) and then, when it reaches that packet-number, regardless of how many other packets there are in the origin input pcap-file, it would terminate? ------------------------------------------------------------------------------------- The attached patch file (against wireshark-1.10.5) is my attempt to modify editcap so that it avoids excess parsing. When applied, then things like: editcap -r -F libpcap huge.pcap tiny.pcap 1 editcap -r -F libpcap huge.pcap tiny.pcap 1-10 editcap -r -F libpcap huge.pcap tiny.pcap 1-10 200-300 take the same time to complete regardless of the size of the input (huge.pcap) file. (immeditelly after producing the 1-st, the 10-th, or 300-th packet respectively).
Attachment:
hack.diff
Description:
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- editcap question Matej Kosik (Jan 21)
- Re: editcap question Jaap Keuter (Jan 21)
- Re: editcap question Matej Kosik (Jan 22)
- Re: editcap question Jaap Keuter (Jan 21)