Re: 90GB pcap file get last frame time stamp

[Timmy Brolin <tib () hms se>]

The pcapng file format supports "backwards" reading.


-----Original Message-----
From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Richard Sharpe
Sent: den 26 februari 2021 18:39
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] 90GB pcap file get last frame time stamp

On Fri, Feb 26, 2021 at 9:10 AM Raj sekar <mrajsekar () gmail com> wrote:
> Hi Everyone!
>
> Need a help. Is there any library or method to get large pcap file's( offline ) last timestamp.
>
> I know capinfos can get this. But i want faster than capinfos.
>
> Any suggestion?

Because each captured frame can be a different length, normally you would have to skip all the preceding frames to get 
the timestamp of the last record.

However, a heuristic approach might be to read the header to get the capture-length, and then read that much from the 
end of the file and look for an appropriate record header ...

On the other hand, I am unaware of any code that does that.

--
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)(传说杜康是酒的发明者)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe