> > Message: 2 > Date: Wed, 20 Jun 2007 16:06:25 -0400 > From: Jeff Morriss <[EMAIL PROTECTED]> > Subject: Re: [Wireshark-users] Editcap 100 argument limitation? > To: Community support list for Wireshark > <[email protected]> > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > > > Stephen Fisher wrote: > > On Tue, Jun 19, 2007 at 04:48:15PM -0400, Rob Campbell wrote: > > > >> I did some experimenting and the problem seems to lie in that editcap > >> seems to only read the first 100 arguments (be it individual packet > >> numbers or sets of packet numbers). > >> > >> Is this limit intentional or can it be removed? Is this a unix/linux > >> limitation? > > > > This is an arbitrary limit compiled into the editcap program: > > > > Line 109 of editcap.c: > > > > static struct select_item selectfrm[100]; > > > > How many arguments do you need to pass to editcap? We could look into > > changing this limit or removing it entirely to make it dynamically > > allocate space for as many arguments as fit on the command-line. > > I went ahead and (in rev 22145) increased the size of the array (up to > 512). If that's not enough we can always go to a dynamically sized > array, but that seems like overkill to me (now). > > More importantly, I also made 'editcap' tell you when it runs out of > room for packet selections. > >
Thanks Jeff! 512 should be tons. I was unaware of the ability to use tethereal/tshark to read in from one pcap and output to a different file using a wireshark display filter. I was using tethereal to dump the pcaps to XML/Text and then parsing the XML/Text files collecting all of the packet numbers that belonged to a flow based on IP/Port information, and then using regular expressions I was creating the sets of packet numbers to allow me for than 100 packets. Everything was done using tcl scripts so it's not like I was manually entering 100 arguments or anything, but the silent failure when it hit the 100 argument mark took me a little while to figure out :) Had I have known that tethereal could do it for me by just passing it the IP/Port information as a filter than I likely would never have needed this, but reporting that it hit the limit is definately a great improvement as I'm sure someone will hit this again. Thanks again, Rob --------------------------------------- Rob Campbell [EMAIL PROTECTED] _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
