Getting the number of packets in a pcap capture file?
https://stackoverflow.com/questions/681011
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information.
So, I believe the only algorithm is to loop over all the packets and sum them. It is in O(N) and, for large traces, quite long.
I post here to see if someone has a cleverer idea?
I tagged with "C" because it is the language I currently use but I believe it is a language-independant issue.
Solution
Robert Edmonds, author of pcaputils, mentioned to me that there is already a program doing what I want, capinfos, in the Wireshark package. It displays various indications about a pcap file, including the number of packets it contain.
Reading the code source, it appears to work by walking the whole file, sequentially.
OTHER TIPS
The only way to determine how many packets are in the file is to read the entire file. There is, in fact, no packet count in the file header (because the format was designed to be writable in one pass), and there is, in fact, no footer.
If you want the number of Frames in the pcap :
tshark -r test.cap | wc -l
Using capinfos:
capinfos test.cap | grep "Number of packets"| tr -d " " | cut -d ":" -f 2
Using tcpdump:
tcpdump -r test.cap 2>/dev/null| wc -l
So basically, use libpcap, here is an example :
#include <stdio.h>
#include <pcap.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
unsigned int packet_counter=0;
struct pcap_pkthdr header;
const u_char *packet;
if (argc < 2) {
fprintf(stderr, "Usage: %s <pcap>\n", argv[0]);
exit(1);
}
pcap_t *handle;
char errbuf[PCAP_ERRBUF_SIZE];
handle = pcap_open_offline(argv[1], errbuf);
if (handle == NULL) {
fprintf(stderr,"Couldn't open pcap file %s: %s\n", argv[1], errbuf);
return(2);
}
while (packet = pcap_next(handle,&header)) {
packet_counter++;
}
pcap_close(handle);
printf("%d\n", packet_counter);
return 0;
}
NOTE: you need to install the libpcap headers (on Linux search for libpcap dev/devel package)
Then compile with gcc -o myprogram myprogram.c -lpcap
The only method I know of is to read the file, captured frame by captured frame and increment a "packet counter. There is, however, a small frame header that contains the length of the stored frame, so you could seek forward in the file by that length. It may not be any faster, mind you.
However, if you're interested in doing more than simply count the number of captured frames, it may make sense to read through the data and build a chain of captured frames while counting them, for future use. My PCAP library for Common Lisp does this. It reads "next frame" on an as-needed basis, storing raw frames in a double-linked list for easier future "next/previous" frame navigation, reading more frames from disk as needed. However, the parsing of the frame contents are left to the library user's discretion and isn't enforced by simply reading the frame octets into the data structure.
