tcpdump mailing list archives
jump to a packet flag
From: alex medvedev <alexm () pycckue org>
Date: Thu, 1 Jul 2004 14:18:32 -0500 (CDT)
hallo, any interest in having a -j flag in tcpdump? the flag would simply jump over the specified number of packets. it may be useful when reading dumps with -r flag. it may also be useful in conjuction with -c flag to isolate certain interval from a dump. a callback function called spin() could added that would be invoked when a -j flag is specified. something like this: --------- tcpdump.c: main() ------------- jflag = num_packets_to_skip; ... if (jflag > 0) status = pcap_loop(pd, jflag, spin, pcap_userdata); status = pcap_loop(pd, cnt, callback, pcap_userdata); ... static void spin(u_char *user, const struct pcap_pkthdr *h, const u_char *sp) { return; } ... --------------- end --------------------- this, however, does not work well with relative seq numbers in tcp packets [maybe smth else too?]. example, when reading the last packet in a 544 packet dump: not using -j: $ ./tcpdump -nr /tmp/tdmp1 | tail -1 reading from file /tmp/tdmp1, link-type EN10MB (Ethernet) 15:03:54.697993 IP 10.1.2.244.33178 > 10.1.2.114.3260: R 422289:422289(0) ack 5574 win 65535 <nop,nop,timestamp 1089558006 546045871> using -j: $ ./tcpdump -nr /tmp/tdmp1 -j 543 reading from file /tmp/tdmp1, link-type EN10MB (Ethernet) 15:03:54.697993 IP 10.1.2.244.33178 > 10.1.2.114.3260: R 2080039578:2080039578(0) ack 3622017432 win 65535 <nop,nop,timestamp 1089558006 546045871> so, the seq numbers are different: "422289:422289(0) ack 5574" vs. "2080039578:2080039578(0) ack 3622017432" i.e. relative vs. absolute seq numbers. the results will be the same [the latter] if -S flag used (Print absolute, rather than relative, TCP sequence numbers). would you be interested in having this feature? -alexm 10:53 01/07/2004 - This is the tcpdump-workers list. Visit https://lists.sandelman.ca/ to unsubscribe.
Current thread:
- jump to a packet flag alex medvedev (Jul 01)
- Re: jump to a packet flag Guy Harris (Jul 01)
- Re: jump to a packet flag Darren Reed (Jul 01)