Add a "-s" flag to editcap, to make it truncate packets to a specified

snapshot length before writing them to the output file; this may come in handy if you are translating the file to a different format so that it can be read by a program that can't handle packets above a certain size (e.g., the snoop in Solaris 2.5.1 or 2.6, which reject Ethernet packets larger than the Ethernet MTU, and thus can't handle gigabit Ethernet captures using jumbo frames). svn path=/trunk/; revision=1891
2000-04-27 00:31:30 +00:00 · 2000-04-27 00:31:30 +00:00 · 4c071627ed
parent 3d1ce3399e
commit 4c071627ed
2 changed files with 47 additions and 12 deletions
--- a/doc/editcap.pod
+++ b/doc/editcap.pod
@ -10,6 +10,7 @@ S<[ B<-F> file format ]>
 S<[ B<-T> encapsulation type ]>
 S<[ B<-r> ]>
 S<[ B<-v> ]>
+S<[ B<-s> snaplen ]>
 S<[ B<-h> ]>
 I<infile>
 I<outfile>
@ -46,15 +47,26 @@ packets with those numbers will I<not> be written to the capture file,
 unless the B<-r> flag is specified, in which case I<only> those packets
 will be written to the capture file.

-If the B<-T> flag, the encapsulation type of the output capture file
-will be forced to the specified type, rather than being the type
-appropriate to the encapsulation type of the input capture file.  Note
-that this merely forces the encapsulation type of the output file to be
-the specified type; the packet headers of the packets will not be
-translated from the encapsulation type of the input capture file to the
-specified encapsulation type (for example, it will not translate an
-Ethernet capture to an FDDI capture if an Ethernet capture is read and
-'B<-T fddi>' is specified).
+If the B<-s> flag is used to specify a snapshot length, frames in the
+input file with more captured data than the specified snapshot length
+will have only the amount of data specified by the snapshot length
+written to the output file.  This may be useful if the program that is
+to read the output file cannot handle packets larger than a certain size
+(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
+appear to reject Ethernet frames larger than the standard Ethernet MTU,
+making them incapable of handling gigabit Ethernet captures if jumbo
+frames were used).
+
+If the B<-T> flag is used to specify an encapsulation type, the
+encapsulation type of the output capture file will be forced to the
+specified type, rather than being the type appropriate to the
+encapsulation type of the input capture file.  Note that this merely
+forces the encapsulation type of the output file to be the specified
+type; the packet headers of the packets will not be translated from the
+encapsulation type of the input capture file to the specified
+encapsulation type (for example, it will not translate an Ethernet
+capture to an FDDI capture if an Ethernet capture is read and 'B<-T
+fddi>' is specified).

 =head1 OPTIONS

@ -78,6 +90,10 @@ be written to the output capture file.

 Causes B<editcap> to print a number of messages while it's working.

+=item -s
+
+Sets the snapshot length to use when writing the data.
+
 =item -h

 Prints the version and options and exits.
--- a/editcap.c
+++ b/editcap.c
@ -1,7 +1,7 @@
 /* Edit capture files.  We can delete records, or simply convert from one 
 * format to another format.
 *
- * $Id: editcap.c,v 1.8 2000/04/17 14:52:32 gram Exp $
+ * $Id: editcap.c,v 1.9 2000/04/27 00:31:23 guy Exp $
 *
 * Originally written by Richard Sharpe.
 * Improved by Guy Harris.
@ -53,6 +53,7 @@ static int keep_em = 0;
 static int out_file_type = WTAP_FILE_PCAP;   /* default to "libpcap"   */
 static int out_frame_type = -2;              /* Leave frame type alone */
 static int verbose = 0;                      /* Not so verbose         */
+static int snaplen = 0;                      /* No limit               */

 /* Add a selection item, a simple parser for now */

@ -133,6 +134,7 @@ edit_callback(u_char *user, const struct wtap_pkthdr *phdr, int offset,
 {
  callback_arg *argp = (callback_arg *)user;
  int err;
+  struct wtap_pkthdr snap_phdr;

  if ((!selected(count) && !keep_em) ||
      (selected(count) && keep_em)) {
@ -140,7 +142,14 @@ edit_callback(u_char *user, const struct wtap_pkthdr *phdr, int offset,
    if (verbose)
      printf("Record: %u\n", count);

-    /* We simply write it, we could do other things, like modify it */
+    /* We simply write it, perhaps after truncating it; we could do other
+       things, like modify it. */
+
+    if (snaplen != 0 && phdr->caplen > snaplen) {
+      snap_phdr = *phdr;
+      snap_phdr.caplen = snaplen;
+      phdr = &snap_phdr;
+    }

    if (!wtap_dump(argp->pdh, phdr, buf, &err)) {

@ -194,10 +203,11 @@ int main(int argc, char *argv[])
  extern char *optarg;
  extern int optind;
  char opt;
+  char *p;

  /* Process the options first */

-  while ((opt = getopt(argc, argv, "T:F:rv")) != EOF) {
+  while ((opt = getopt(argc, argv, "T:F:rvs:")) != EOF) {

    switch (opt) {

@ -227,6 +237,15 @@ int main(int argc, char *argv[])
      keep_em = !keep_em;  /* Just invert */
      break;

+    case 's':
+      snaplen = strtol(optarg, &p, 10);
+      if (p == optarg || *p != '\0') {
+      	fprintf(stderr, "editcap: \"%s\" is not a valid snapshot length\n",
+      	    optarg);
+      	exit(1);
+      }
+      break;
+
    case 'h':
      usage();
      exit(1);