tcpdump mailing list archives
Re: Question - savefile and stats
From: Milosz Marian Hulboj <mhulboj () hulboj org>
Date: Thu, 10 Jul 2008 11:40:58 +0200
On Thursday 10 July 2008, Guy Harris wrote:
It sounds as if you're not interested in statistics, you're interested in the ordinal numbers of packets in the savefile. (Note that, even in live captures, ps_recv gives you a count of packets that passed the filter on some platforms and packets that were *handed* to the filter on other platforms, and might or might not count packets dropped because the capture mechanism ran out of buffer space, so it's not even that useful for live captures.)
That's exactly what I was thinking about - however I misunderstood the statistics and thought that for live capture we could get also total count.
If you want the ordinal numbers of packets in the savefile, I would: compile the filter expression; *NOT* set it as a filter with pcap_setfilter(); after doing pcap_next_ex(), count the packet, and then call bpf_filter(<compiled filter>, <pointer to the beginning of the raw packet data>, <pcap_pkthdr>.len, <pcap_pkthdr>.caplen) and, if it returns 0, ignore the packet (as it didn't pass the filter). I.e., do the filtering yourself (when reading a savefile, the filtering is done in userland either way).
Thank you for this idea. For me it's ok. Cheers, Milosz - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
Current thread:
- Question - savefile and stats Milosz Marian Hulboj (Jul 08)
- Re: Question - savefile and stats Guy Harris (Jul 09)
- Re: Question - savefile and stats Milosz Marian Hulboj (Jul 10)
- Re: Question - savefile and stats Guy Harris (Jul 09)