Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap file
add
my %last_hdr;
right after %hdr;
(or remove use strict;)
On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
> gnychis@monster ~/school/15744/project/logs $ perl first_last scen1-comcast_to_ini-comcast.log
> Global symbol "%last_hdr" requires explicit package name at first_last line 22.
> Global symbol "%last_hdr" requires explicit package name at first_last line 26.
> Execution of first_last aborted due to compilation errors.
>
>
> > get it from CPAN and install it.
> >
> > fastest way:
> >
> > $ perl -MCPAN -e 'CPAN:shell' cpan> install Net::Pcap
> >
> >
> > On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
> >> By the way Luis, when i try to run the perl scripts it tells me I am
> >> missing the Pcap library or something in perl:
> >>
> >> Can't locate Net/Pcap.pm in @INC (@INC contains: /etc/perl
> >> /usr/lib/perl5/site_perl/5.8.7/i686-linux-thread-multi
> >> /usr/lib/perl5/site_perl/5.8.7 /usr/lib/perl5/site_perl
> >> /usr/lib/perl5/vendor_perl/5.8.7/i686-linux-thread-multi
> >> /usr/lib/perl5/vendor_perl/5.8.7 /usr/lib/perl5/vendor_perl/5.8.5
> >> /usr/lib/perl5/vendor_perl/5.8.5/i686-linux-thread-multi
> >> /usr/lib/perl5/vendor_perl/5.8.6
> >> /usr/lib/perl5/vendor_perl/5.8.6/i686-linux-thread-multi
> >> /usr/lib/perl5/vendor_perl /usr/lib/perl5/5.8.7/i686-linux-thread-multi
> >> /usr/lib/perl5/5.8.7 /usr/local/lib/site_perl .) at first_last line 3.
> >>
> >> I've never worked with perl before really, where can i read about
> >> installing this missing stuff?
> >>
> >>> #!/usr/bin/perl use strict; use Net::Pcap;
> >>>
> >>> my $in_file = shift; my $out_file = shift;
> >>>
> >>> my ($err, $pcap_in, $pcap_out, $pcap_t, $first_pkt, $last_pkt, $pkt,
> >>> $i); my %hdr; my $n = 0;
> >>>
> >>> $pcap_in = Net::Pcap::open_offline($in_file, \$err); $pcap_out > >
> >>> Net::Pcap::dump_open($pcap_in, "$out_file");
> >>>
> >>> my $first_pkt = Net::Pcap::next($pcap_in, \%hdr); $pkt = $first_pkt;
> >>>
> >>>
> >>> Net::Pcap::dump($pcap_out, \%hdr, $pkt);
> >>>
> >>> do { $last_pkt = $pkt; %last_hdr = %hdr; $pkt =
> >>> Net::Pcap::next($pcap_in, \%hdr); } while (defined $pkt);
> >>>
> >>> Net::Pcap::dump($last_pkt, \%last_hdr, $last_pkt);
> >>>
> >>> Net::Pcap::dump_close($pcap_out); Net::Pcap::close($pcap_in);
> >>>
> >>>
> >>> On 3/15/06, George P Nychis <gnychis@xxxxxxx> wrote:
> >>>> bahhh, i was hoping since libpcap files carried a header, the
> >>>> header let it know something that would make this possible without
> >>>> doing scenario 1) :)
> >>>>
> >>>> I have huge files, i will benchmark and see how long suggestion 1
> >>>> takes per file
> >>>>
> >>>> - George
> >>>>
> >>>>
> >>>>> George P Nychis wrote:
> >>>>>
> >>>>>> How can I output the first and last packets of a libpcap file
> >>>>>> with tethereal?
> >>>>>
> >>>>> You can't, at least not in a simple fashion. Tethereal is (by
> >>>>> design and intent) a strict one-pass application, and it doesn't
> >>>>> know a packet is the last packet until it tries to read the next
> >>>>> packet and finds there isn't one, at which point it's too late.
> >>>>>
> >>>>> You'd have to either
> >>>>>
> >>>>> 1) read the file once to find out how many packets are in it, and
> >>>>> then try a filter such as
> >>>>>
> >>>>> frame.number == 1 || frame.number == {number of frames}
> >>>>>
> >>>>> with {number of frames} replaced with the total number of frames
> >>>>> in the capture
> >>>>>
> >>>>> or
> >>>>>
> >>>>> 2) read it into Ethereal, mark the first and last frames, and
> >>>>> save the marked frames.
> >>>>>
> >>>>> The ambitious reader could perhaps develop a shell script to
> >>>>> automate the first of those suggestions.
> >>>>> _______________________________________________ Ethereal-users
> >>>>> mailing list Ethereal-users@xxxxxxxxxxxx
> >>>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>> --
> >>>>
> >>>> _______________________________________________ Ethereal-users
> >>>> mailing list Ethereal-users@xxxxxxxxxxxx
> >>>> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>>>
> >>>
> >>>
> >>> -- This information is top security. When you have read it, destroy
> >>> yourself. -- Marshall McLuhan
> >>> _______________________________________________ Ethereal-users
> >>> mailing list Ethereal-users@xxxxxxxxxxxx
> >>> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>>
> >>>
> >>
> >>
> >> --
> >>
> >> _______________________________________________ Ethereal-users mailing
> >> list Ethereal-users@xxxxxxxxxxxx
> >> http://www.ethereal.com/mailman/listinfo/ethereal-users
> >>
> >
> >
> > -- This information is top security. When you have read it, destroy
> > yourself. -- Marshall McLuhan
> > _______________________________________________ Ethereal-users mailing
> > list Ethereal-users@xxxxxxxxxxxx
> > http://www.ethereal.com/mailman/listinfo/ethereal-users
> >
> >
>
>
> --
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
--
This information is top security. When you have read it, destroy yourself.
-- Marshall McLuhan