Please note that we actually have up to 2 regions that can be chopped in a
single pass by using multiple -C options (1 region specified by the positive
length and the other region specified by the negative length). However, one
must ensure that the region specified by the positive length does not cross the
region specified by the negative length; otherwise, nothing will be chopped
since we're being told to retain all bytes specified by the offsets.
For example, given the following 75 byte packet, suppose we want to chop the 2
regions marked 10 and 20 in a single pass.
<--------------------------- 75 ---------------------------->
+---+-------+-----------+---------------+-------------------+
| 5 | 10 | 15 | 20 | 25 |
+---+-------+-----------+---------------+-------------------+
There are only 4 ways to successfully achieve this:
1) editcap -C 5:10 -C -25:-20 in.pcap out.pcap
2) editcap -C 5:10 -C 50:-20 in.pcap out.pcap
3) editcap -C -70:10 -C -25:-20 in.pcap out.pcap
4) editcap -C -70:10 -C 50:-20 in.pcap out.pcap
For clarity, these are the other methods, which will NOT work:
1) editcap -C 30:20 -C -60:-10 in.pcap out.pcap
2) editcap -C 30:20 -C 15:-10 in.pcap out.pcap
3) editcap -C -45:20 -C -60:-10 in.pcap out.pcap
4) editcap -C -45:20 -C 15:-10 in.pcap out.pcap
Using the 1st invalid example, the reason why it fails is because we're being
told to specifically retain the 1st 30 bytes, but unfortunately, we're also
told to specifically retain the last 60 bytes. What this effectively says is
to retain 80 bytes. While we don't even have 80 bytes, it obviously means that
we're going to retain all 75 bytes of the packet. Compare that to the 1st
valid example where we're only told to retain 30 bytes - the 1st 5 bytes and
the last 25 bytes, so we have up to 45 bytes available for chopping there, of
which we chop 30 (from 2 different regions - 10 from one region and 20 from the
other).
I'm not sure this is entirely clear from the documentation, but I didn't want
to write a novel explaining this. Clarification suggestions are welcome!
- Chris
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of
[email protected]
Sent: Sunday, September 08, 2013 9:04 PM
To: [email protected]
Subject: [Wireshark-commits] rev 51854: /trunk/ /trunk/doc/: editcap.pod
/trunk/: editcap.c
http://anonsvn.wireshark.org/viewvc/viewvc.cgi?view=rev&revision=51854
User: cmaynard
Date: 2013/09/08 06:04 PM
Log:
OK, allow either positive or negative offsets no matter if we're chopping from
the beginning or the end.
Given the following example, it's now possible to chop the 10 bytes depicted
from the 100 byte packet 4 different ways and achieve the exact same results:
<-------- 100 --------> Methods:
1) editcap -C 20:10 in.pcap
out.pcap
+------+----+---------+ 2) editcap -C -80:10 in.pcap out.pcap
| 20 | 10 | 70 | 3) editcap -C -70:-10 in.pcap out.pcap
+------+----+---------+ 4) editcap -C 30:-10 in.pcap out.pcap
Directory: /trunk/doc/
Changes Path Action
+2 -2 editcap.pod Modified
Directory: /trunk/
Changes Path Action
+37 -30 editcap.c Modified
--
CONFIDENTIALITY NOTICE: The information contained in this email message is
intended only for use of the intended recipient. If the reader of this message
is not the intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please immediately delete it from
your system and notify the sender by replying to this email. Thank you.
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
