jump to a packet flag

[alex medvedev <alexm () pycckue org>]

hallo,

any interest in having a -j flag in tcpdump?

the flag would simply jump over the specified number of packets.
it may be useful when reading dumps with -r flag.
it may also be useful in conjuction with -c flag to isolate certain
interval from a dump.

a callback function called spin() could added that would be invoked when a
-j flag is specified.
something like this:

--------- tcpdump.c: main() -------------

        jflag = num_packets_to_skip;
        ...
        if (jflag > 0)
                status = pcap_loop(pd, jflag, spin, pcap_userdata);
        status = pcap_loop(pd, cnt, callback, pcap_userdata);
        ...

static void
spin(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
{
        return;
}
        ...

--------------- end ---------------------

this, however, does not work well with relative seq numbers in tcp
packets [maybe smth else too?].

example, when reading the last packet in a 544 packet dump:

not using -j:
$ ./tcpdump -nr /tmp/tdmp1 | tail -1
reading from file /tmp/tdmp1, link-type EN10MB (Ethernet)
15:03:54.697993 IP 10.1.2.244.33178 > 10.1.2.114.3260: R 422289:422289(0)
ack 5574 win 65535 <nop,nop,timestamp 1089558006 546045871>

using -j:
$ ./tcpdump -nr /tmp/tdmp1 -j 543
reading from file /tmp/tdmp1, link-type EN10MB (Ethernet)
15:03:54.697993 IP 10.1.2.244.33178 > 10.1.2.114.3260: R
2080039578:2080039578(0) ack 3622017432 win 65535 <nop,nop,timestamp
1089558006 546045871>

so, the seq numbers are different:
"422289:422289(0) ack 5574" vs. "2080039578:2080039578(0) ack 3622017432"

i.e. relative vs. absolute seq numbers.

the results will be the same [the latter] if -S flag used (Print absolute,
rather than relative, TCP sequence numbers).

would you be interested in having this feature?

-alexm
10:53 01/07/2004












-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.