Ethereal-users: Re: [Ethereal-users] how to output only first and last packets of a libpcap file

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Guy Harris <gharris@xxxxxxxxx>
Date: Tue, 14 Mar 2006 18:36:15 -0800
George P Nychis wrote:


bahhh, i was hoping since libpcap files carried a header, the header

> let it know something that would make this possible without doing
> scenario 1) :)
No - libpcap format is (by design and intent) a format that can be read and written in one pass, so the header at the beginning of the file says nothing about the number of packets in the file.
Luis's script handles this by remembering the contents of each packet as it's read, so that after an attempt to read the next packet finds that there *is* no next packet, the previous packet, which is therefore the last packet, is still available, and can be written out.