On Wed, 19 Oct 2005, Ulf Lamping wrote:
> Jaap Keuter wrote:
>
> >Hi list,
> >
> >On another note I proposed a patch to the editcap man page. Ulf suggested
> >a more informative statement about packet ranges. I've included that in
> >the synopsys as well as presented some examples. Please provide feedback
> >with better real-life examples so I can use them.
> >
> >
> Your second approach looks good to me, some questions (I'm using editcap
> often):
>
> To delete packet 1000 from the capture file use:
>
> editcap capture.pcap sans1000.pcap 1000
>
> Well, you might replace "sans1000.pcap" by "without1000.pcap".
It means the same, you know, so I thought it was a nice touch to some
non-critical information ;)
> Is this really this way? I would expect that only packet 1000 is in the
> capture file then.
Then is would be: editcap -r capture.pcap 1000.pcap 1000
Note the 'retain' option.
> To cut off a capture file at packet 500 use:
>
> editcap capture.pcap 500.pcap 501-
>
> or
>
> editcap -r capture.pcap 500.pcap -500
>
Hmmm, further testing reveiled that editcap doesn't like open intervals.
So new examples are:
To cut off a capture file at packet 500 use:
editcap capture.pcap 500.pcap 501-99999
or
editcap -r capture.pcap 500.pcap 0-500
> Sounds unlogical. I would expect 501- would cut off packets 1-500, and
> -500 to cut off everything after 500
Be carefull here. By default the packet ranges are cut off from the files,
and you need the -r option to retain them.
> Isn't it possible to add ranges like: 10-20,30-40?
Sure, like so:
To filter a capture file for packets 10 to 20 and 30 to 40 use:
editcap capture.pcap filtered.pcap 10-20 30-40
> Regards, ULFL
Thanx,
Jaap
