Re: Question - savefile and stats

[Milosz Marian Hulboj <mhulboj () hulboj org>]

On Thursday 10 July 2008, Guy Harris wrote:
> It sounds as if you're not interested in statistics, you're interested  
> in the ordinal numbers of packets in the savefile.  (Note that, even  
> in live captures, ps_recv gives you a count of packets that passed the  
> filter on some platforms and packets that were *handed* to the filter  
> on other platforms, and might or might not count packets dropped  
> because the capture mechanism ran out of buffer space, so it's not  
> even that useful for live captures.)

That's exactly what I was thinking about - however I misunderstood the statistics and thought that for live capture we 
could get also total count.

> If you want the ordinal numbers of packets in the savefile, I would:
>
>       compile the filter expression;
>
>       *NOT* set it as a filter with pcap_setfilter();
>
>       after doing pcap_next_ex(), count the packet, and then call
>
>               bpf_filter(<compiled filter>, <pointer to the beginning of the raw  
> packet data>, <pcap_pkthdr>.len, <pcap_pkthdr>.caplen)
>
>       and, if it returns 0, ignore the packet (as it didn't pass the filter).
>
> I.e., do the filtering yourself (when reading a savefile, the  
> filtering is done in userland either way).

Thank you for this idea. For me it's ok.

Cheers,
Milosz
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.