tcpdump mailing list archives

Re: estimate #packets in pcap file

From: Guy Harris <guy () alum mit edu>
Date: Mon, 3 May 2010 15:54:47 -0700


On Apr 30, 2010, at 5:15 PM, Andrej van der Zee wrote:

I am looking for way to estimate the number of packages in a pcap file
without traversing throu all packages with pcap_loop(). It does noet
have to be precise, just an estimate. Is there a way?


*IF* you have an idea what the average packet size in the file is, and it's X, then the size of that pcap file is 
probably approximately

        24 + N*(16+X)

where N is the number of packets; solving for N gives N = (S-24)/(16+X), where S is the size of the file in bytes.

Note that "the average packet size" is the average size of the raw packet data in the file; if, for example, you're 
capturing on an 802.11 device with Radiotap headers, "the average packet size" would include the Radiotap header data, 
not just the actual over-the-air packet data.

If you *don't* know the average packet size, you have no choice but to traverse the entire file.-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.

Current thread:

estimate #packets in pcap file Andrej van der Zee (Apr 30)
- Re: estimate #packets in pcap file Guy Harris (May 03)