Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap file
get it from CPAN and install it.
fastest way:
$ perl -MCPAN -e 'CPAN:shell'
cpan> install Net::Pcap
On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
> By the way Luis, when i try to run the perl scripts it tells me I am missing the Pcap library or something in perl:
>
> Can't locate Net/Pcap.pm in @INC (@INC contains: /etc/perl /usr/lib/perl5/site_perl/5.8.7/i686-linux-thread-multi /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.5 /usr/lib/perl5/vendor_perl/5.8.5/i686-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.6 /usr/lib/perl5/vendor_perl/5.8.6/i686-linux-thread-multi /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.7/i686-linux-thread-multi /usr/lib/perl5/5.8.7 /usr/local/lib/site_perl .) at first_last line 3.
>
> I've never worked with perl before really, where can i read about installing this missing stuff?
>
> > #!/usr/bin/perl use strict; use Net::Pcap;
> >
> > my $in_file = shift; my $out_file = shift;
> >
> > my ($err, $pcap_in, $pcap_out, $pcap_t, $first_pkt, $last_pkt, $pkt, $i);
> > my %hdr; my $n = 0;
> >
> > $pcap_in = Net::Pcap::open_offline($in_file, \$err); $pcap_out =
> > Net::Pcap::dump_open($pcap_in, "$out_file");
> >
> > my $first_pkt = Net::Pcap::next($pcap_in, \%hdr); $pkt = $first_pkt;
> >
> > Net::Pcap::dump($pcap_out, \%hdr, $pkt);
> >
> > do { $last_pkt = $pkt; %last_hdr = %hdr; $pkt = Net::Pcap::next($pcap_in,
> > \%hdr); } while (defined $pkt);
> >
> > Net::Pcap::dump($last_pkt, \%last_hdr, $last_pkt);
> >
> > Net::Pcap::dump_close($pcap_out); Net::Pcap::close($pcap_in);
> >
> >
> > On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
> >> bahhh, i was hoping since libpcap files carried a header, the header
> >> let it know something that would make this possible without doing
> >> scenario 1) :)
> >>
> >> I have huge files, i will benchmark and see how long suggestion 1 takes
> >> per file
> >>
> >> - George
> >>
> >>
> >>> George P Nychis wrote:
> >>>
> >>>> How can I output the first and last packets of a libpcap file with
> >>>> tethereal?
> >>>
> >>> You can't, at least not in a simple fashion. Tethereal is (by design
> >>> and intent) a strict one-pass application, and it doesn't know a
> >>> packet is the last packet until it tries to read the next packet and
> >>> finds there isn't one, at which point it's too late.
> >>>
> >>> You'd have to either
> >>>
> >>> 1) read the file once to find out how many packets are in it, and
> >>> then try a filter such as
> >>>
> >>> frame.number == 1 || frame.number == {number of frames}
> >>>
> >>> with {number of frames} replaced with the total number of frames in
> >>> the capture
> >>>
> >>> or
> >>>
> >>> 2) read it into Ethereal, mark the first and last frames, and save
> >>> the marked frames.
> >>>
> >>> The ambitious reader could perhaps develop a shell script to automate
> >>> the first of those suggestions.
> >>> _______________________________________________ Ethereal-users
> >>> mailing list Ethereal-users@xxxxxxxxxxxx
> >>> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>>
> >>>
> >>
> >>
> >> --
> >>
> >> _______________________________________________ Ethereal-users mailing
> >> list Ethereal-users@xxxxxxxxxxxx
> >> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>
> >
> >
> > -- This information is top security. When you have read it, destroy
> > yourself. -- Marshall McLuhan
> > _______________________________________________ Ethereal-users mailing
> > list Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
>
>
> --
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan