Re: editcap question

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi,

Looks interesting enough. Usually patches are handled through our bug tracking
system, so that they don't get lost. You may want to do the same.

Thanks,
Jaap


On 01/21/2014 07:07 PM, Matej Kosik wrote:
> Hi,
>
> When I have a huge pcap file ("huge.pcap")
> and I do this:
>
>   editcap -r -F libpcap huge.pcap tiny.pcap 1
>
> Then I get a correct pcap-file (tiny.pcap)
> although what is surprising is that editcap goes through the whole input pcap-file
> instead of terminating right after the first (and definitely the last) packet was produced.
>
> I wonder, why is this?
>
> That is, cannot editcap compute the maximum packet number (wrt. given selections) and then,
> when it reaches that packet-number, regardless of how many other packets there are in the origin input pcap-file,
> it would terminate?
>
> -------------------------------------------------------------------------------------
>
> The attached patch file (against wireshark-1.10.5)
> is my attempt to modify editcap so that it avoids excess parsing.
> When applied, then things like:
>
>   editcap -r -F libpcap huge.pcap tiny.pcap 1
>   editcap -r -F libpcap huge.pcap tiny.pcap 1-10
>   editcap -r -F libpcap huge.pcap tiny.pcap 1-10 200-300
>
> take the same time to complete regardless of the size of the input (huge.pcap) file.
> (immeditelly after producing the 1-st, the 10-th, or 300-th packet respectively).

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe