editcap question

[Matej Kosik <5764c029b688c1c0d24a2e97cd764f () gmail com>]

Hi,

When I have a huge pcap file ("huge.pcap")
and I do this:

  editcap -r -F libpcap huge.pcap tiny.pcap 1

Then I get a correct pcap-file (tiny.pcap)
although what is surprising is that editcap goes through the whole input pcap-file
instead of terminating right after the first (and definitely the last) packet was produced.

I wonder, why is this?

That is, cannot editcap compute the maximum packet number (wrt. given selections) and then,
when it reaches that packet-number, regardless of how many other packets there are in the origin input pcap-file,
it would terminate?

-------------------------------------------------------------------------------------

The attached patch file (against wireshark-1.10.5)
is my attempt to modify editcap so that it avoids excess parsing.
When applied, then things like:

  editcap -r -F libpcap huge.pcap tiny.pcap 1
  editcap -r -F libpcap huge.pcap tiny.pcap 1-10
  editcap -r -F libpcap huge.pcap tiny.pcap 1-10 200-300

take the same time to complete regardless of the size of the input (huge.pcap) file.
(immeditelly after producing the 1-st, the 10-th, or 300-th packet respectively).

Attachment: hack.diff
Description:

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe