This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

editcap behavior confirmation

0

Hi all,

Got a packet capture with 10 packets and the time interval between 1st and last packet is 2.315 seconds.

Time stamps of 10 packets respectively {51.770989000;51.771761000;51.771783000;51.771880000;51.774776000;51.774966000; 51.774985000;51.775097000;54.085199000;54.085748000}

Now, I gave the following editcap command which creates trace files with 1 second worth of capture.

editcap -i 1 padding.pcap 1_padding.pcapng

This command created 3 trace files and the second trace file is having 0 packets.

I am seeing a behavior that the engine is going through a pattern of checking packets at 0th second,1st second,2nd sec etc...If the engine is not finding any packets at nth second it is creating empty trace against it.

Any specific reason for creating an empty trace file against not creating at all?

asked 15 Mar '13, 11:19

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 15 Mar '13, 11:27


One Answer:

1

That's "works as designed". Editcap will create a new tracefile as soon as the first interval is finished. And closes it when the next interval is finished. It does not delete the file is zero packets were written, neither does it wait to open a new file until the first packet in the interval is seen.

I kinda like the fact that it explicitly shows you that that particular interval did not contain any packets.

answered 15 Mar '13, 16:13

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%