tags:

views:

651

answers:

2
+1  Q: 

Getting the number of packets in a pcap capture file?

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information.

So, I believe the only algorithm is to loop over all the packets and sum them. It is in O(N) and, for large traces, quite long.

I post here to see if someone has a cleverer idea?

I tagged with "C" because it is the language I currently use but I believe it is a language-independant issue.

+1  A: 

The only method I know of is to read the file, captured frame by captured frame and increment a "packet counter. There is, however, a small frame header that contains the length of the stored frame, so you could seek forward in the file by that length. It may not be any faster, mind you.

However, if you're interested in doing more than simply count the number of captured frames, it may make sense to read through the data and build a chain of captured frames while counting them, for future use. My PCAP library for Common Lisp does this. It reads "next frame" on an as-needed basis, storing raw frames in a double-linked list for easier future "next/previous" frame navigation, reading more frames from disk as needed. However, the parsing of the frame contents are left to the library user's discretion and isn't enforced by simply reading the frame octets into the data structure.

Vatine  2009-03-25 10:41:53
In C, there is no need to use the "small frame header that contains the length of the stored frame", pcap_next() does it for you.
bortzmeyer  2009-03-25 11:06:55
Your library is http://www.suspicious.org/~night/plokami/ ?
bortzmeyer  2009-03-25 11:07:42
My library can be downloaded from http://src.hexapodia.net/pcap.tar.gz. I suspect using pcap_next() will do some frame parsing and tha may make things arbritarily slower, one of the reasons I split "read packet" from "parse packet".
Vatine  2009-03-25 11:12:56
Nervertheless, accessing directly the trace, instead on relying on pcap_next() seems dangerous to me. I prefer using the official API. Thanks for the code, it's a long time since I've read Lisp.
bortzmeyer  2009-03-28 07:39:14
+1  A: 

Robert Edmonds, author of pcaputils, mentioned to me that there is already a program doing what I want, capinfos, in the Wireshark package. It displays various indications about a pcap file, including the number of packets it contain.

Reading the code source, it appears to work by walking the whole file, sequentially.

bortzmeyer  2009-03-28 07:37:41

related questions

any good tool for makefile generation?
How do you pass a function as a parameter in C?
Where should a veteran C programmer start in order to master Java ?
Any good book on best practice and guidelines in developing a SDK in C?
How do you determine the size of a file in C?
Decoding printf statements in C (Printf Primer)
Shift operator in C
How to avoid redefining VERSION, PACKAGE, etc.
Alpha blending sprites in Nintendo DS Homebrew
When should I use type abstraction in embedded systems
How to implement continuations?
What are the barriers to understanding pointers and what can be done to overcome them?
Anyone have experience creating a shared library in MATLAB?
String.indexOf function in C
Passing multidimensional arrays as function arguments in C
C/C++ library for reading MIDI signals from a USB MIDI device
Choosing a static code analysis tool
How do you printf an unsigned long long int?
Good STL-like library for C.
Rockbox audio format
Why am I getting a malloc: double free error with realloc()?
Should I learn C?
GTK implementation of MessageBox
Is gettimeofday() guaranteed to be of microsecond resolution?
How to use the C socket API in C++ on z/OS