Please note that we actually have up to 2 regions that can be chopped in a single pass by using multiple -C options (1 region specified by the positive length and the other region specified by the negative length). However, one must ensure that the region
specified by the positive length does not cross the region specified by the negative length; otherwise, nothing will be chopped since we're being told to retain all bytes specified by the offsets.
For example, given the following 75 byte packet, suppose we want to chop the 2 regions marked 10 and 20 in a single pass.
<--------------------------- 75 ---------------------------->
+---+-------+-----------+---------------+-------------------+
| 5 | 10 | 15 | 20 | 25 |
+---+-------+-----------+---------------+-------------------+
There are only 4 ways to successfully achieve this:
1) editcap -C 5:10 -C -25:-20 in.pcap out.pcap
2) editcap -C 5:10 -C 50:-20 in.pcap out.pcap
3) editcap -C -70:10 -C -25:-20 in.pcap out.pcap
4) editcap -C -70:10 -C 50:-20 in.pcap out.pcap
For clarity, these are the other methods, which will NOT work:
1) editcap -C 30:20 -C -60:-10 in.pcap out.pcap
2) editcap -C 30:20 -C 15:-10 in.pcap out.pcap
3) editcap -C -45:20 -C -60:-10 in.pcap out.pcap
4) editcap -C -45:20 -C 15:-10 in.pcap out.pcap
Using the 1st invalid example, the reason why it fails is because we’re being told to specifically retain the 1st 30 bytes, but unfortunately, we’re also told to specifically retain the last 60 bytes. What this effectively says is to retain 80 bytes.
While we don’t even have 80 bytes, it obviously means that we’re going to retain all 75 bytes of the packet. Compare that to the 1st valid example where we’re only told to retain 30 bytes - the 1st 5 bytes and the last 25 bytes, so we have up to 45 bytes available
for chopping there, of which we chop 30 (from 2 different regions - 10 from one region and 20 from the other).
I'm not sure this is entirely clear from the documentation, but I didn’t want to write a novel explaining this. Clarification suggestions are welcome!
- Chris
-----Original Message-----
Sent: Sunday, September 08, 2013 9:04 PM
To: wireshark-commits@xxxxxxxxxxxxx
Subject: [Wireshark-commits] rev 51854: /trunk/ /trunk/doc/: editcap.pod /trunk/: editcap.c
User: cmaynard
Date: 2013/09/08 06:04 PM
Log:
OK, allow either positive or negative offsets no matter if we're chopping from the beginning or the end.
Given the following example, it's now possible to chop the 10 bytes depicted from the 100 byte packet 4 different ways and achieve the exact same results:
<-------- 100 --------> Methods:
1) editcap -C 20:10 in.pcap out.pcap
+------+----+---------+ 2) editcap -C -80:10 in.pcap out.pcap
| 20 | 10 | 70 | 3) editcap -C -70:-10 in.pcap out.pcap
+------+----+---------+ 4) editcap -C 30:-10 in.pcap out.pcap
Directory: /trunk/doc/
Changes Path Action
+2 -2 editcap.pod Modified
Directory: /trunk/
Changes Path Action
+37 -30 editcap.c Modified
--
CONFIDENTIALITY NOTICE: The information contained in this email message is intended only for use of the intended recipient. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately delete it from your system and notify the sender by replying to this email. Â Thank you.
