Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] editcap -B

From: Sake Blok <sake@xxxxxxxxxx>
Date: Fri, 12 Nov 2010 15:03:17 +0100
Hello,

I ran into some unexpected behavior of editcap. The -A and -B options can be used to select e certain timerange from a capture file. I would have expected -B to *not* include packets that were seen in that particular second. Here is what I got:

sake@MacSake:/tmp$ editcap -A "2010-11-08 20:00:00" -B "2010-11-09 00:00:00" tmp.cap tmp2.cap
sake@MacSake:/tmp$ capinfos -Teca tmp*
File name
Number of packets Start time End time
tmp.cap
4500000 Mon Nov  8 19:52:42 2010 Tue Nov  9 00:00:37 2010
tmp2.cap
4364047 Mon Nov  8 20:00:00 2010 Tue Nov  9 00:00:00 2010
sake@MacSake:/tmp$ tshark -ta -r tmp2.cap | tail
4364038 23:59:56.440017  10.94.206.2 -> 224.0.0.2    HSRP Hello (state Active)
4364039 23:59:56.994172 00:19:2f:57:49:ea -> 01:00:0c:cc:cc:cd STP RST. Root = 4096/638/00:19:07:f5:24:00  Cost = 0  Port = 0x83a3
4364040 23:59:57.112757  10.94.206.3 -> 224.0.0.2    HSRP Hello (state Standby)
4364041 23:59:58.994450 00:19:2f:57:49:ea -> 01:00:0c:cc:cc:cd STP RST. Root = 4096/638/00:19:07:f5:24:00  Cost = 0  Port = 0x83a3
4364042 23:59:59.228845  10.94.206.3 -> 224.0.0.2    HSRP Advertise (state Passive)
4364043 23:59:59.372142  10.94.206.2 -> 224.0.0.2    HSRP Hello (state Active)
4364044 00:00:00.020821  10.94.206.3 -> 224.0.0.2    HSRP Hello (state Standby)
4364045 00:00:00.675857 78:e7:d1:f9:35:38 -> 00:1b:78:e2:cd:3a ARP Who has 10.94.206.170?  Tell 10.94.206.161
4364046 00:00:00.676047 00:1b:78:e2:cd:3a -> 78:e7:d1:f9:35:38 ARP 10.94.206.170 is at 00:1b:78:e2:cd:3a
4364047 00:00:00.995831 00:19:2f:57:49:ea -> 01:00:0c:cc:cc:cd STP RST. Root = 4096/638/00:19:07:f5:24:00  Cost = 0  Port = 0x83a3
sake@MacSake:/tmp$ 

To me, it's illogical to include packet 4364044 to 4364047, as they would also be included when 'editcap -A "2010-11-09 00:00:00" -B "2010-11-09 04:00:00"' would be used to generate the next interval (yes I know, intervals can be done with -i).

I would expect '-A "2010-11-08 20:00:00" -B "2010-11-09 00:00:00"' to mean: All packets with a timestamp starting at "2010-11-08 20:00:00" and *before* "2010-11-09 00:00:00".

Does anyone object to me changing (correcting) the current behavior of "-B" to what I would have expected?

Cheers,


Sake