forked from osmocom/wireshark
From Jim Young <jyoung@gsu.edu>:
- New duplicate packet removal options for editcap https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3168 I changed the patch a bit: - Adapted to 80 chars wide screen - Merged -w and -W parameters svn path=/trunk/; revision=28074
This commit is contained in:
parent
c5db90ba60
commit
14fa469df3
114
doc/editcap.pod
114
doc/editcap.pod
|
@ -8,7 +8,6 @@ editcap - Edit and/or translate the format of capture files
|
||||||
B<editcap>
|
B<editcap>
|
||||||
S<[ B<-c> E<lt>packets per fileE<gt> ]>
|
S<[ B<-c> E<lt>packets per fileE<gt> ]>
|
||||||
S<[ B<-C> E<lt>choplenE<gt> ]>
|
S<[ B<-C> E<lt>choplenE<gt> ]>
|
||||||
S<[ B<-d> ]>
|
|
||||||
S<[ B<-E> E<lt>error probabilityE<gt> ]>
|
S<[ B<-E> E<lt>error probabilityE<gt> ]>
|
||||||
S<[ B<-F> E<lt>file formatE<gt> ]>
|
S<[ B<-F> E<lt>file formatE<gt> ]>
|
||||||
S<[ B<-A> E<lt>start timeE<gt> ]>
|
S<[ B<-A> E<lt>start timeE<gt> ]>
|
||||||
|
@ -23,6 +22,14 @@ I<infile>
|
||||||
I<outfile>
|
I<outfile>
|
||||||
S<[ I<packet#>[-I<packet#>] ... ]>
|
S<[ I<packet#>[-I<packet#>] ... ]>
|
||||||
|
|
||||||
|
B<editcap>
|
||||||
|
S< B<-d> > |
|
||||||
|
S< B<-D> E<lt>dup windowE<gt> > |
|
||||||
|
S< B<-w> E<lt>dup time windowE<gt> >
|
||||||
|
S<[ B<-v> ]>
|
||||||
|
I<infile>
|
||||||
|
I<outfile>
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
|
||||||
B<Editcap> is a program that reads some or all of the captured packets from the
|
B<Editcap> is a program that reads some or all of the captured packets from the
|
||||||
|
@ -32,13 +39,17 @@ resulting packets to the capture I<outfile> (or outfiles).
|
||||||
By default, it reads all packets from the I<infile> and writes them to the
|
By default, it reads all packets from the I<infile> and writes them to the
|
||||||
I<outfile> in libpcap file format.
|
I<outfile> in libpcap file format.
|
||||||
|
|
||||||
A list of packet numbers can be specified on the command line; ranges of
|
An optional list of packet numbers can be specified on the command tail;
|
||||||
packet numbers can be specified as I<start>-I<end>, referring to all packets
|
individual packet numbers seperated by whitespace and/or ranges of packet
|
||||||
from I<start> to I<end>.
|
numbers can be specified as I<start>-I<end>, referring to all packets from
|
||||||
The selected packets with those numbers will I<not> be written to the
|
I<start> to I<end>. By default the selected packets with those numbers will
|
||||||
capture file.
|
I<not> be written to the capture file. If the B<-r> flag is specified, the
|
||||||
If the B<-r> flag is specified, the whole packet selection is reversed;
|
whole packet selection is reversed; in that case I<only> the selected packets
|
||||||
in that case I<only> the selected packets will be written to the capture file.
|
will be written to the capture file.
|
||||||
|
|
||||||
|
B<Editcap> can also be used to remove duplicate packets. Several different
|
||||||
|
options (B<-d>, B<-D> and B<-w>) are used to control the packet window
|
||||||
|
or relative time window to be used for duplicate comparison.
|
||||||
|
|
||||||
B<Editcap> is able to detect, read and write the same capture files that
|
B<Editcap> is able to detect, read and write the same capture files that
|
||||||
are supported by B<Wireshark>.
|
are supported by B<Wireshark>.
|
||||||
|
@ -74,9 +85,49 @@ formats leaves some random bytes at the end of each packet.
|
||||||
|
|
||||||
=item -d
|
=item -d
|
||||||
|
|
||||||
Attempts to remove duplicate packets. The length and MD5 sum of the
|
Attempts to remove duplicate packets. The length and MD5 hash of the
|
||||||
current packet are compared to the previous four packets. If a match
|
current packet are compared to the previous four (4) packets. If a
|
||||||
is found, the packet is skipped.
|
match is found, the current packet is skipped. This option is equilivent
|
||||||
|
to using the option B<-D 5>.
|
||||||
|
|
||||||
|
=item -D E<lt>dup windowE<gt>
|
||||||
|
|
||||||
|
Attempts to remove duplicate packets. The length and MD5 hash of the
|
||||||
|
current packet are compared to the previous <dup window> - 1 packets.
|
||||||
|
If a match is found, the current packet is skipped.
|
||||||
|
|
||||||
|
The use of the option B<-D 0> combined with the B<-v> option is useful
|
||||||
|
in that each packet's Packet number, Len and MD5 Hash will be printed
|
||||||
|
to standard out. This verbose output (specifically the MD5 hash strings)
|
||||||
|
can be useful in scripts to identify duplicate packets across trace
|
||||||
|
files.
|
||||||
|
|
||||||
|
The <dup window> is specifed as an integer value between 0 and 1000000 (inclusive).
|
||||||
|
|
||||||
|
NOTE: Specifying large <dup window> values with large tracefiles can
|
||||||
|
result in very long processing times for B<editcap>.
|
||||||
|
|
||||||
|
=item -w E<lt>dup time windowE<gt>
|
||||||
|
|
||||||
|
Attempts to remove duplicate packets. The current packet's arrival time
|
||||||
|
is compared with up to 1000000 previous packets. If the packet's relative
|
||||||
|
arrival time is I<less than> the <dup time window> of a previous packet
|
||||||
|
and the packet length and MD5 hash of the current packet are the same then
|
||||||
|
the packet to skipped. The duplicate comparison test stops when
|
||||||
|
the current packet's relative arrival time is greater than <dup time window>.
|
||||||
|
|
||||||
|
The <dup time window> is specifed as I<seconds>[I<.fractional seconds>].
|
||||||
|
|
||||||
|
The [.fractional seconds] component can be specified to nine (9) decimal
|
||||||
|
places (billionths of a second) but most typical trace files have resolution
|
||||||
|
to six (6) decimal places (millionths of a second).
|
||||||
|
|
||||||
|
NOTE: Specifying large <dup time window> values with large tracefiles can
|
||||||
|
result in very long processing times for B<editcap>.
|
||||||
|
|
||||||
|
NOTE: The B<-w> option assumes that the packets are in chronological order.
|
||||||
|
If the packets are NOT in chronological order then the B<-w> duplication
|
||||||
|
removal option may not identify some duplicates.
|
||||||
|
|
||||||
=item -E E<lt>error probabilityE<gt>
|
=item -E E<lt>error probabilityE<gt>
|
||||||
|
|
||||||
|
@ -166,6 +217,10 @@ packet, you will need od(1)/text2pcap(1).
|
||||||
|
|
||||||
Causes B<editcap> to print verbose messages while it's working.
|
Causes B<editcap> to print verbose messages while it's working.
|
||||||
|
|
||||||
|
Use of B<-v> with the de-duplication switches of B<-d>, B<-D> or B<-w>
|
||||||
|
will cause all MD5 hashes to be printed whether the packet is skipped
|
||||||
|
or not.
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
=head1 EXAMPLES
|
=head1 EXAMPLES
|
||||||
|
@ -188,15 +243,44 @@ To limit a capture file to packets from number 200 to 750 (inclusive) use:
|
||||||
|
|
||||||
To get all packets from number 1-500 (inclusive) use:
|
To get all packets from number 1-500 (inclusive) use:
|
||||||
|
|
||||||
editcap -r capture.pcap 500.pcap 1-500
|
editcap -r capture.pcap first500.pcap 1-500
|
||||||
|
|
||||||
or
|
or
|
||||||
|
|
||||||
editcap capture.pcap 500.pcap 501-9999999
|
editcap capture.pcap first500.pcap 501-9999999
|
||||||
|
|
||||||
To filter out packets 10 to 20 and 30 to 40 into a new file use:
|
To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
|
||||||
|
|
||||||
editcap capture.pcap selection.pcap 10-20 30-40
|
editcap capture.pcap exclude.pcap 1 5 10-20 30-40
|
||||||
|
|
||||||
|
To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
|
||||||
|
|
||||||
|
editcap -r capture.pcap select.pcap 1 5 10-20 30-40
|
||||||
|
|
||||||
|
To remove duplicate packets seen within the prior four frames use:
|
||||||
|
|
||||||
|
editcap -d capture.pcap dedup.pcap
|
||||||
|
|
||||||
|
To remove duplicate packets seen within the prior 100 frames use:
|
||||||
|
|
||||||
|
editcap -D 101 capture.pcap dedup.pcap
|
||||||
|
|
||||||
|
To remove duplicate packets seen I<less than> 1/10th of a second:
|
||||||
|
|
||||||
|
editcap -w 0.1 capture.pcap dedup.pcap
|
||||||
|
|
||||||
|
To remove duplicate packets seen I<equal to or less than> 1/10th of a second:
|
||||||
|
|
||||||
|
editcap -w 0.1 capture.pcap dedup.pcap
|
||||||
|
|
||||||
|
To display the MD5 hash for all of the packets (and NOT generate any
|
||||||
|
real output file):
|
||||||
|
|
||||||
|
editcap -v -D 0 capture.pcap /dev/null
|
||||||
|
|
||||||
|
or on Windows systems
|
||||||
|
|
||||||
|
editcap -v -D 0 capture.pcap NUL
|
||||||
|
|
||||||
To introduce 5% random errors in a capture file use:
|
To introduce 5% random errors in a capture file use:
|
||||||
|
|
||||||
|
|
323
editcap.c
323
editcap.c
|
@ -84,13 +84,18 @@ struct select_item {
|
||||||
typedef struct _fd_hash_t {
|
typedef struct _fd_hash_t {
|
||||||
md5_byte_t digest[16];
|
md5_byte_t digest[16];
|
||||||
guint32 len;
|
guint32 len;
|
||||||
|
nstime_t time;
|
||||||
} fd_hash_t;
|
} fd_hash_t;
|
||||||
|
|
||||||
#define DUP_DEPTH 5
|
#define DEFAULT_DUP_DEPTH 5 /* Used with -d */
|
||||||
fd_hash_t fd_hash[DUP_DEPTH];
|
#define MAX_DUP_DEPTH 1000000 /* the maximum window (and actual size of fd_hash[]) for de-duplication */
|
||||||
int cur_dup = 0;
|
|
||||||
|
fd_hash_t fd_hash[MAX_DUP_DEPTH];
|
||||||
|
int dup_window = DEFAULT_DUP_DEPTH;
|
||||||
|
int cur_dup_entry = 0;
|
||||||
|
|
||||||
#define ONE_MILLION 1000000
|
#define ONE_MILLION 1000000
|
||||||
|
#define ONE_BILLION 1000000000
|
||||||
|
|
||||||
/* Weights of different errors we can introduce */
|
/* Weights of different errors we can introduce */
|
||||||
/* We should probably make these command-line arguments */
|
/* We should probably make these command-line arguments */
|
||||||
|
@ -119,11 +124,13 @@ static int out_file_type = WTAP_FILE_PCAP; /* default to "libpcap" */
|
||||||
static int out_frame_type = -2; /* Leave frame type alone */
|
static int out_frame_type = -2; /* Leave frame type alone */
|
||||||
static int verbose = 0; /* Not so verbose */
|
static int verbose = 0; /* Not so verbose */
|
||||||
static struct time_adjustment time_adj = {{0, 0}, 0}; /* no adjustment */
|
static struct time_adjustment time_adj = {{0, 0}, 0}; /* no adjustment */
|
||||||
|
static nstime_t relative_time_window = {0, 0}; /* de-dup time window */
|
||||||
static double err_prob = 0.0;
|
static double err_prob = 0.0;
|
||||||
static time_t starttime = 0;
|
static time_t starttime = 0;
|
||||||
static time_t stoptime = 0;
|
static time_t stoptime = 0;
|
||||||
static gboolean check_startstop = FALSE;
|
static gboolean check_startstop = FALSE;
|
||||||
static gboolean dup_detect = FALSE;
|
static gboolean dup_detect = FALSE;
|
||||||
|
static gboolean dup_detect_by_time = FALSE;
|
||||||
|
|
||||||
static int find_dct2000_real_data(guint8 *buf);
|
static int find_dct2000_real_data(guint8 *buf);
|
||||||
|
|
||||||
|
@ -266,29 +273,200 @@ set_time_adjustment(char *optarg)
|
||||||
time_adj.tv.tv_usec = val;
|
time_adj.tv.tv_usec = val;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static void
|
||||||
|
set_rel_time(char *optarg)
|
||||||
|
{
|
||||||
|
char *frac, *end;
|
||||||
|
long val;
|
||||||
|
int frac_digits;
|
||||||
|
|
||||||
|
if (!optarg)
|
||||||
|
return;
|
||||||
|
|
||||||
|
/* skip leading whitespace */
|
||||||
|
while (*optarg == ' ' || *optarg == '\t') {
|
||||||
|
optarg++;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ignore negative adjustment */
|
||||||
|
if (*optarg == '-') {
|
||||||
|
optarg++;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* collect whole number of seconds, if any */
|
||||||
|
if (*optarg == '.') { /* only fractional (i.e., .5 is ok) */
|
||||||
|
val = 0;
|
||||||
|
frac = optarg;
|
||||||
|
} else {
|
||||||
|
val = strtol(optarg, &frac, 10);
|
||||||
|
if (frac == NULL || frac == optarg || val == LONG_MIN || val == LONG_MAX) {
|
||||||
|
fprintf(stderr, "1: editcap: \"%s\" isn't a valid rel time value\n",
|
||||||
|
optarg);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
if (val < 0) { /* implies '--' since we caught '-' above */
|
||||||
|
fprintf(stderr, "2: editcap: \"%s\" isn't a valid rel time value\n",
|
||||||
|
optarg);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
relative_time_window.secs = val;
|
||||||
|
|
||||||
|
/* now collect the partial seconds, if any */
|
||||||
|
if (*frac != '\0') { /* chars left, so get fractional part */
|
||||||
|
val = strtol(&(frac[1]), &end, 10);
|
||||||
|
if (*frac != '.' || end == NULL || end == frac
|
||||||
|
|| val < 0 || val > ONE_BILLION || val == LONG_MIN || val == LONG_MAX) {
|
||||||
|
fprintf(stderr, "3: editcap: \"%s\" isn't a valid rel time value\n",
|
||||||
|
optarg);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
return; /* no fractional digits */
|
||||||
|
}
|
||||||
|
|
||||||
|
/* adjust fractional portion from fractional to numerator
|
||||||
|
* e.g., in "1.5" from 5 to 500000000 since .5*10^9 = 500000000 */
|
||||||
|
if (frac && end) { /* both are valid */
|
||||||
|
frac_digits = end - frac - 1; /* fractional digit count (remember '.') */
|
||||||
|
while(frac_digits < 9) { /* this is frac of 10^9 */
|
||||||
|
val *= 10;
|
||||||
|
frac_digits++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
relative_time_window.nsecs = val;
|
||||||
|
}
|
||||||
|
|
||||||
static gboolean
|
static gboolean
|
||||||
is_duplicate(guint8* fd, guint32 len) {
|
is_duplicate(guint8* fd, guint32 len) {
|
||||||
int i;
|
int i;
|
||||||
md5_state_t ms;
|
md5_state_t ms;
|
||||||
|
|
||||||
cur_dup++;
|
cur_dup_entry++;
|
||||||
if (cur_dup >= DUP_DEPTH)
|
if (cur_dup_entry >= dup_window)
|
||||||
cur_dup = 0;
|
cur_dup_entry = 0;
|
||||||
|
|
||||||
/* Calculate our digest */
|
/* Calculate our digest */
|
||||||
md5_init(&ms);
|
md5_init(&ms);
|
||||||
md5_append(&ms, fd, len);
|
md5_append(&ms, fd, len);
|
||||||
md5_finish(&ms, fd_hash[cur_dup].digest);
|
md5_finish(&ms, fd_hash[cur_dup_entry].digest);
|
||||||
|
|
||||||
fd_hash[cur_dup].len = len;
|
fd_hash[cur_dup_entry].len = len;
|
||||||
|
|
||||||
/* Look for duplicates */
|
/* Look for duplicates */
|
||||||
for (i = 0; i < DUP_DEPTH; i++) {
|
for (i = 0; i < dup_window; i++) {
|
||||||
if (i == cur_dup)
|
if (i == cur_dup_entry)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (fd_hash[i].len == fd_hash[cur_dup].len &&
|
if (fd_hash[i].len == fd_hash[cur_dup_entry].len &&
|
||||||
memcmp(fd_hash[i].digest, fd_hash[cur_dup].digest, 16) == 0) {
|
memcmp(fd_hash[i].digest, fd_hash[cur_dup_entry].digest, 16) == 0) {
|
||||||
|
return TRUE;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return FALSE;
|
||||||
|
}
|
||||||
|
|
||||||
|
static gboolean
|
||||||
|
is_duplicate_rel_time(guint8* fd, guint32 len, const nstime_t *current) {
|
||||||
|
int i;
|
||||||
|
md5_state_t ms;
|
||||||
|
|
||||||
|
cur_dup_entry++;
|
||||||
|
if (cur_dup_entry >= dup_window)
|
||||||
|
cur_dup_entry = 0;
|
||||||
|
|
||||||
|
/* Calculate our digest */
|
||||||
|
md5_init(&ms);
|
||||||
|
md5_append(&ms, fd, len);
|
||||||
|
md5_finish(&ms, fd_hash[cur_dup_entry].digest);
|
||||||
|
|
||||||
|
fd_hash[cur_dup_entry].len = len;
|
||||||
|
fd_hash[cur_dup_entry].time.secs = current->secs;
|
||||||
|
fd_hash[cur_dup_entry].time.nsecs = current->nsecs;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Look for relative time related duplicates.
|
||||||
|
* This is hopefully a reasonably efficient mechanism for
|
||||||
|
* finding duplicates by rel time in the fd_hash[] cache.
|
||||||
|
* We check starting from the most recently added hash
|
||||||
|
* entries and work backwards towards older packets.
|
||||||
|
* This approach allows the dup test to be terminated
|
||||||
|
* when the relative time of a cached entry is found to
|
||||||
|
* be beyond the dup time window.
|
||||||
|
*
|
||||||
|
* Of course this assumes that the input trace file is
|
||||||
|
* "well-formed" in the sense that the packet timestamps are
|
||||||
|
* in strict chronologically increasing order (which is NOT
|
||||||
|
* always the case!!).
|
||||||
|
*
|
||||||
|
* The fd_hash[] table was deliberatly created large (1,000,000).
|
||||||
|
* Looking for time related duplicates in large trace files with
|
||||||
|
* non-fractional dup time window values can potentially take
|
||||||
|
* a long time to complete.
|
||||||
|
*/
|
||||||
|
|
||||||
|
for (i = cur_dup_entry - 1;; i--) {
|
||||||
|
nstime_t delta;
|
||||||
|
int cmp;
|
||||||
|
|
||||||
|
if (i < 0) {
|
||||||
|
i = dup_window - 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (i == cur_dup_entry) {
|
||||||
|
/*
|
||||||
|
* We've decremented back to where we started.
|
||||||
|
* Check no more!
|
||||||
|
*/
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (nstime_is_unset(&(fd_hash[i].time))) {
|
||||||
|
/*
|
||||||
|
* We've decremented to an unused fd_hash[] entry.
|
||||||
|
* Check no more!
|
||||||
|
*/
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
nstime_delta(&delta, current, &fd_hash[i].time);
|
||||||
|
|
||||||
|
if(delta.secs < 0 || delta.nsecs < 0)
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* A negative delta implies that the current packet
|
||||||
|
* has an absolute timestamp less than the cached packet
|
||||||
|
* that it is being compared to. This is NOT a normal
|
||||||
|
* situation since trace files usually have packets in
|
||||||
|
* chronological order (oldest to newest).
|
||||||
|
*
|
||||||
|
* There are several possible ways to deal with this:
|
||||||
|
* 1. 'continue' dup checking with the next cached frame.
|
||||||
|
* 2. 'break' from looking for a duplicate of the current frame.
|
||||||
|
* 3. Take the absolute value of the delta and see if that
|
||||||
|
* falls within the specifed dup time window.
|
||||||
|
*
|
||||||
|
* Currently this code does option 1. But it would pretty
|
||||||
|
* easy to add yet-another-editcap-option to select one of
|
||||||
|
* the other behaviors for dealing with out-of-sequence
|
||||||
|
* packets.
|
||||||
|
*/
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
cmp = nstime_cmp(&delta, &relative_time_window);
|
||||||
|
|
||||||
|
if(cmp > 0) {
|
||||||
|
/*
|
||||||
|
* The delta time indicates that we are now looking at
|
||||||
|
* cached packets beyond the specified dup time window.
|
||||||
|
* Check no more!
|
||||||
|
*/
|
||||||
|
break;
|
||||||
|
} else if (fd_hash[i].len == fd_hash[cur_dup_entry].len &&
|
||||||
|
memcmp(fd_hash[i].digest, fd_hash[cur_dup_entry].digest, 16) == 0) {
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -317,7 +495,22 @@ usage(void)
|
||||||
fprintf(stderr, " given time (format as YYYY-MM-DD hh:mm:ss)\n");
|
fprintf(stderr, " given time (format as YYYY-MM-DD hh:mm:ss)\n");
|
||||||
fprintf(stderr, " -B <stop time> don't output packets whose timestamp is after the\n");
|
fprintf(stderr, " -B <stop time> don't output packets whose timestamp is after the\n");
|
||||||
fprintf(stderr, " given time (format as YYYY-MM-DD hh:mm:ss)\n");
|
fprintf(stderr, " given time (format as YYYY-MM-DD hh:mm:ss)\n");
|
||||||
fprintf(stderr, " -d remove duplicate packets\n");
|
fprintf(stderr, "\n");
|
||||||
|
fprintf(stderr, "Duplicate packet removal:\n");
|
||||||
|
fprintf(stderr, " -d remove packet if duplicate (window == %d).\n", DEFAULT_DUP_DEPTH);
|
||||||
|
fprintf(stderr, " -D <dup window> remove packet if duplicate, configurable <dup window>.\n");
|
||||||
|
fprintf(stderr, " Valid <dup window> values are 0 to %d.\n", MAX_DUP_DEPTH);
|
||||||
|
fprintf(stderr, " NOTE: A <dup window> of 0 with -v (verbose option) is\n");
|
||||||
|
fprintf(stderr, " useful to print MD5 hashes.\n");
|
||||||
|
fprintf(stderr, " -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR\n");
|
||||||
|
fprintf(stderr, " LESS THAN <dup time window> prior to current packet.\n");
|
||||||
|
fprintf(stderr, " A <dup time window> is specified in relative seconds\n");
|
||||||
|
fprintf(stderr, " (e.g. 0.000001)\n");
|
||||||
|
fprintf(stderr, "\n");
|
||||||
|
fprintf(stderr, " NOTE: The use of the 'Duplicate packet removal' options with\n");
|
||||||
|
fprintf(stderr, " other editcap options except -v may not always work as expected.\n");
|
||||||
|
fprintf(stderr, " Specifically the -r and -t options will very likely NOT have the\n");
|
||||||
|
fprintf(stderr, " desired effect if combined with the -d, -D or -w.\n");
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
fprintf(stderr, "Packet manipulation:\n");
|
fprintf(stderr, "Packet manipulation:\n");
|
||||||
fprintf(stderr, " -s <snaplen> truncate each packet to max. <snaplen> bytes of data\n");
|
fprintf(stderr, " -s <snaplen> truncate each packet to max. <snaplen> bytes of data\n");
|
||||||
|
@ -343,6 +536,9 @@ usage(void)
|
||||||
fprintf(stderr, "Miscellaneous:\n");
|
fprintf(stderr, "Miscellaneous:\n");
|
||||||
fprintf(stderr, " -h display this help and exit\n");
|
fprintf(stderr, " -h display this help and exit\n");
|
||||||
fprintf(stderr, " -v verbose output\n");
|
fprintf(stderr, " -v verbose output\n");
|
||||||
|
fprintf(stderr, " If -v is used with any of the 'Duplicate Packet\n");
|
||||||
|
fprintf(stderr, " Removal' options (-d, -D or -w) then Packet lengths\n");
|
||||||
|
fprintf(stderr, " and MD5 hashes are printed to standard-out.\n");
|
||||||
fprintf(stderr, "\n");
|
fprintf(stderr, "\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -399,6 +595,7 @@ main(int argc, char *argv[])
|
||||||
unsigned int choplen = 0; /* No chop */
|
unsigned int choplen = 0; /* No chop */
|
||||||
wtap_dumper *pdh;
|
wtap_dumper *pdh;
|
||||||
int count = 1;
|
int count = 1;
|
||||||
|
unsigned duplicate_count = 0;
|
||||||
gint64 data_offset;
|
gint64 data_offset;
|
||||||
struct wtap_pkthdr snap_phdr;
|
struct wtap_pkthdr snap_phdr;
|
||||||
const struct wtap_pkthdr *phdr;
|
const struct wtap_pkthdr *phdr;
|
||||||
|
@ -434,7 +631,7 @@ main(int argc, char *argv[])
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Process the options */
|
/* Process the options */
|
||||||
while ((opt = getopt(argc, argv, "A:B:c:C:dE:F:hrs:i:t:T:v")) !=-1) {
|
while ((opt = getopt(argc, argv, "A:B:c:C:dD:E:F:hrs:i:t:T:vw:")) !=-1) {
|
||||||
|
|
||||||
switch (opt) {
|
switch (opt) {
|
||||||
|
|
||||||
|
@ -483,10 +680,31 @@ main(int argc, char *argv[])
|
||||||
|
|
||||||
case 'd':
|
case 'd':
|
||||||
dup_detect = TRUE;
|
dup_detect = TRUE;
|
||||||
for (i = 0; i < DUP_DEPTH; i++) {
|
dup_detect_by_time = FALSE;
|
||||||
memset(&fd_hash[i].digest, 0, 16);
|
dup_window = DEFAULT_DUP_DEPTH;
|
||||||
fd_hash[i].len = 0;
|
break;
|
||||||
|
|
||||||
|
case 'D':
|
||||||
|
dup_detect = TRUE;
|
||||||
|
dup_detect_by_time = FALSE;
|
||||||
|
dup_window = strtol(optarg, &p, 10);
|
||||||
|
if (p == optarg || *p != '\0') {
|
||||||
|
fprintf(stderr, "editcap: \"%s\" isn't a valid dupicate window value\n",
|
||||||
|
optarg);
|
||||||
|
exit(1);
|
||||||
}
|
}
|
||||||
|
if (dup_window < 0 || dup_window > MAX_DUP_DEPTH) {
|
||||||
|
fprintf(stderr, "editcap: \"%d\" duplicate window value must be between 0 and %d inclusive.\n",
|
||||||
|
dup_window, MAX_DUP_DEPTH);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
|
||||||
|
case 'w':
|
||||||
|
dup_detect = FALSE;
|
||||||
|
dup_detect_by_time = TRUE;
|
||||||
|
dup_window = MAX_DUP_DEPTH;
|
||||||
|
set_rel_time(optarg);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case '?': /* Bad options if GNU getopt */
|
case '?': /* Bad options if GNU getopt */
|
||||||
|
@ -686,6 +904,14 @@ main(int argc, char *argv[])
|
||||||
if (add_selection(argv[i]) == FALSE)
|
if (add_selection(argv[i]) == FALSE)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
if (dup_detect || dup_detect_by_time) {
|
||||||
|
for (i = 0; i < dup_window; i++) {
|
||||||
|
memset(&fd_hash[i].digest, 0, 16);
|
||||||
|
fd_hash[i].len = 0;
|
||||||
|
nstime_set_unset(&fd_hash[i].time);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
while (wtap_read(wth, &err, &err_info, &data_offset)) {
|
while (wtap_read(wth, &err, &err_info, &data_offset)) {
|
||||||
|
|
||||||
if (secs_per_block > 0) {
|
if (secs_per_block > 0) {
|
||||||
|
@ -752,7 +978,7 @@ main(int argc, char *argv[])
|
||||||
if ( ((check_startstop && check_ts) || (!check_startstop && !check_ts)) && ((!selected(count) && !keep_em) ||
|
if ( ((check_startstop && check_ts) || (!check_startstop && !check_ts)) && ((!selected(count) && !keep_em) ||
|
||||||
(selected(count) && keep_em)) ) {
|
(selected(count) && keep_em)) ) {
|
||||||
|
|
||||||
if (verbose)
|
if (verbose && !dup_detect && !dup_detect_by_time)
|
||||||
printf("Packet: %u\n", count);
|
printf("Packet: %u\n", count);
|
||||||
|
|
||||||
/* We simply write it, perhaps after truncating it; we could do other
|
/* We simply write it, perhaps after truncating it; we could do other
|
||||||
|
@ -805,13 +1031,59 @@ main(int argc, char *argv[])
|
||||||
phdr = &snap_phdr;
|
phdr = &snap_phdr;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* suppress duplicates by packet window */
|
||||||
if (dup_detect) {
|
if (dup_detect) {
|
||||||
buf = wtap_buf_ptr(wth);
|
buf = wtap_buf_ptr(wth);
|
||||||
if (is_duplicate(buf, phdr->caplen)) {
|
if (is_duplicate(buf, phdr->caplen)) {
|
||||||
if (verbose)
|
if (verbose) {
|
||||||
printf("Skipping duplicate: %u\n", count);
|
fprintf(stdout, "Skipped: %u, Len: %u, MD5 Hash: ", count, phdr->caplen);
|
||||||
|
for (i = 0; i < 16; i++) {
|
||||||
|
fprintf(stdout, "%02x", (unsigned char)fd_hash[cur_dup_entry].digest[i]);
|
||||||
|
}
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
}
|
||||||
|
duplicate_count++;
|
||||||
count++;
|
count++;
|
||||||
continue;
|
continue;
|
||||||
|
} else {
|
||||||
|
if (verbose) {
|
||||||
|
fprintf(stdout, "Packet: %u, Len: %u, MD5 Hash: ", count, phdr->caplen);
|
||||||
|
for (i = 0; i < 16; i++) {
|
||||||
|
fprintf(stdout, "%02x", (unsigned char)fd_hash[cur_dup_entry].digest[i]);
|
||||||
|
}
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* suppress duplicates by time window */
|
||||||
|
if (dup_detect_by_time) {
|
||||||
|
nstime_t current;
|
||||||
|
|
||||||
|
current.secs = phdr->ts.secs;
|
||||||
|
current.nsecs = phdr->ts.nsecs;
|
||||||
|
|
||||||
|
buf = wtap_buf_ptr(wth);
|
||||||
|
|
||||||
|
if (is_duplicate_rel_time(buf, phdr->caplen, ¤t)) {
|
||||||
|
if (verbose) {
|
||||||
|
fprintf(stdout, "Skipped: %u, Len: %u, MD5 Hash: ", count, phdr->caplen);
|
||||||
|
for (i = 0; i < 16; i++) {
|
||||||
|
fprintf(stdout, "%02x", (unsigned char)fd_hash[cur_dup_entry].digest[i]);
|
||||||
|
}
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
}
|
||||||
|
duplicate_count++;
|
||||||
|
count++;
|
||||||
|
continue;
|
||||||
|
} else {
|
||||||
|
if (verbose) {
|
||||||
|
fprintf(stdout, "Packet: %u, Len: %u, MD5 Hash: ", count, phdr->caplen);
|
||||||
|
for (i = 0; i < 16; i++) {
|
||||||
|
fprintf(stdout, "%02x", (unsigned char)fd_hash[cur_dup_entry].digest[i]);
|
||||||
|
}
|
||||||
|
fprintf(stdout, "\n");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -902,6 +1174,17 @@ main(int argc, char *argv[])
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (dup_detect) {
|
||||||
|
fprintf(stdout, "%u packet%s seen, %u packet%s skipped with duplicate window of %u packets.\n",
|
||||||
|
count - 1, plurality(count - 1, "", "s"),
|
||||||
|
duplicate_count, plurality(duplicate_count, "", "s"), dup_window);
|
||||||
|
} else if (dup_detect_by_time) {
|
||||||
|
fprintf(stdout, "%u packet%s seen, %u packet%s skipped with duplicate time window equal to or less than %ld.%09ld seconds.\n",
|
||||||
|
count - 1, plurality(count - 1, "", "s"),
|
||||||
|
duplicate_count, plurality(duplicate_count, "", "s"),
|
||||||
|
(long)relative_time_window.secs, (long int)relative_time_window.nsecs);
|
||||||
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue