Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-users: [Wireshark-users] Editcap 100 argument limitation?

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: "Rob Campbell" <a.robcampbell@xxxxxxxxx>
Date: Tue, 19 Jun 2007 16:48:15 -0400

Hi all,

 Just curious if this is a known issue or something that is out of
your control.
I noticed that some of the flows in my pcaps have nowhere near the
expected number of packets after separating an individual flow using
editcap.

ie. editcap -r /pub/mypcap.pcap /pub/mysubcap.pcap 1-3 6-7 12-14 15-16
20-40 etc. etc.

I have several pcaps I am analyzing that have flows that have 6000+
packets, but they very spread out across the pcap resulting in only
sets of 2-10 packets together.

I did some experimenting and the problem seems to lie in that editcap
seems to only read the first 100 arguments (be it individual packet
numbers or sets of packet numbers).

Is this limit intentional or can it be removed?  Is this a unix/linux
limitation?


Thanks,

Rob


--

---------------------------------------
Rob Campbell
a.robcampbell@xxxxxxxxx

Follow-Ups:
- Re: [Wireshark-users] Editcap 100 argument limitation?
  - From: Stephen Fisher
- Re: [Wireshark-users] Editcap 100 argument limitation?
  - From: Sake Blok
- Re: [Wireshark-users] Editcap 100 argument limitation?
  - From: Guy Harris

Prev by Date: Re: [Wireshark-users] TShark / Mergecap - Problem converting file type from command line.
Next by Date: [Wireshark-users] Cannot reassemble (and save as a file) packets
Previous by thread: Re: [Wireshark-users] Ping not showing up
Next by thread: Re: [Wireshark-users] Editcap 100 argument limitation?
Index(es):
- Date
- Thread