Re: Question - savefile and stats

[Guy Harris <guy () alum mit edu>]

On Jul 8, 2008, at 3:33 AM, Milosz Marian Hulboj wrote:

> I know that it is not possible to use pcap_stats when reading data  
> from a savefile.

That's because the statistics aren't recorded in the savefile.

> I can count the packets returned by the pcap_next_ex, but if I  
> applied a filter, this won't tell me the absolute position of the  
> packet in the savefile.

It sounds as if you're not interested in statistics, you're interested  
in the ordinal numbers of packets in the savefile.  (Note that, even  
in live captures, ps_recv gives you a count of packets that passed the  
filter on some platforms and packets that were *handed* to the filter  
on other platforms, and might or might not count packets dropped  
because the capture mechanism ran out of buffer space, so it's not  
even that useful for live captures.)

If you want the ordinal numbers of packets in the savefile, I would:

        compile the filter expression;

        *NOT* set it as a filter with pcap_setfilter();

        after doing pcap_next_ex(), count the packet, and then call

		bpf_filter(<compiled filter>, <pointer to the beginning of the raw  
packet data>, <pcap_pkthdr>.len, <pcap_pkthdr>.caplen)

        and, if it returns 0, ignore the packet (as it didn't pass the filter).

I.e., do the filtering yourself (when reading a savefile, the  
filtering is done in userland either way).
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.