tags:

views:

651

answers:

2

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information.

So, I believe the only algorithm is to loop over all the packets and sum them. It is in O(N) and, for large traces, quite long.

I post here to see if someone has a cleverer idea?

I tagged with "C" because it is the language I currently use but I believe it is a language-independant issue.

+1  A: 

The only method I know of is to read the file, captured frame by captured frame and increment a "packet counter. There is, however, a small frame header that contains the length of the stored frame, so you could seek forward in the file by that length. It may not be any faster, mind you.

However, if you're interested in doing more than simply count the number of captured frames, it may make sense to read through the data and build a chain of captured frames while counting them, for future use. My PCAP library for Common Lisp does this. It reads "next frame" on an as-needed basis, storing raw frames in a double-linked list for easier future "next/previous" frame navigation, reading more frames from disk as needed. However, the parsing of the frame contents are left to the library user's discretion and isn't enforced by simply reading the frame octets into the data structure.

Vatine
In C, there is no need to use the "small frame header that contains the length of the stored frame", pcap_next() does it for you.
bortzmeyer
Your library is http://www.suspicious.org/~night/plokami/ ?
bortzmeyer
My library can be downloaded from http://src.hexapodia.net/pcap.tar.gz. I suspect using pcap_next() will do some frame parsing and tha may make things arbritarily slower, one of the reasons I split "read packet" from "parse packet".
Vatine
Nervertheless, accessing directly the trace, instead on relying on pcap_next() seems dangerous to me. I prefer using the official API. Thanks for the code, it's a long time since I've read Lisp.
bortzmeyer
+1  A: 

Robert Edmonds, author of pcaputils, mentioned to me that there is already a program doing what I want, capinfos, in the Wireshark package. It displays various indications about a pcap file, including the number of packets it contain.

Reading the code source, it appears to work by walking the whole file, sequentially.

bortzmeyer