Getting the number of packets in a pcap capture file?

c pcap
bortzmeyer picture bortzmeyer · Mar 25, 2009 · Viewed 26.4k times · Source

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information.

So, I believe the only algorithm is to loop over all the packets and sum them. It is in O(N) and, for large traces, quite long.

I post here to see if someone has a cleverer idea?

I tagged with "C" because it is the language I currently use but I believe it is a language-independant issue.

Answer

bortzmeyer picture bortzmeyer · Mar 28, 2009

Robert Edmonds, author of pcaputils, mentioned to me that there is already a program doing what I want, capinfos, in the Wireshark package. It displays various indications about a pcap file, including the number of packets it contain.

Reading the code source, it appears to work by walking the whole file, sequentially.

Related questions

pcap struct pcap_pkthdr len vs caplen

We're sniffing packets using libpcap on linux The header we get on each packet looks like: struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off …

Read More
read from a PCap file and print out IP addresses and port numbers in c, but my result seem wrong

I am reading a pcap file and I want to print out the ip address and port number of each packet. I am using code from http://www.tcpdump.org/pcap.htm and http://www.rhyous.com/2011/11/13/how-to-read-a-pcap-file-from-wireshark-with-c/. Here is …

Read More
Creating a pcap file

I need to save UDP packets to a file and would like to use the pcap format to reuse the various tools available (wireshark, tcpdump, ...). There are some information in this thread but I can't find how to write the …

Read More