So this made me think that maybe packet number is just a Wireshark thing, and that pcap files just stores the packets without caring about labeling any order numbers?īe careful since it seems that editcap main function is to remove packets (duplicates), so watch out for any default behaviors there! editcap does allow you to specify packet number or packet number range. I do know that if you load it into Wireshark, you WILL see a packet number in the leftmost column, but since you're talking about a 100Gb file I did not want to suggest you load it into Wireshark (maybe Wireshark on a Linux server can deal with that? Dunno.)Īnyways, I came across editcap, which I have not used in the past but is a command-line tool that is part of Wireshark. I'm starting to think that the pcap output file does NOT include a packet number? I was somewhat surprised to see that the tcpdump man page and docs do not include any mention of packet number, which I would have thought it would for use with the -r option (reading from pcap file). You pose a very interesting question (at least to me!), so I started researching for an answer. > 192.168.: sctp (1) Īs of Wireshark 2.6.0 Release, you can use the membership operator for range like frame.number in " -w new.pcap
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |