0

I am trying to get a random subset of packets from a .pcap file. To do so, I have written the following shell script:

large_number=150000
smaller_number=10000
selected_packet_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number")
editcap -r capture.pcap capture-selected.pcap $selected_packet_numbers

However, editcap is giving me the following error:

Out of room for packet selections

Using a shell loop would take an unreasonably long time.

What can I do to select a random subset of packets from a .pcap file?

Utku
  • 2,025
  • 22
  • 42

2 Answers2

1

Currently, you will need to reduce smaller_number so its value is strictly less than 512. If you want more packet selections than that, you'll likely have to change the value of MAX_SELECTIONS in the editcap.c source code and compile it yourself.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • Do you know how can I compile _only_ `editcap.c`? I don't want to compile a whole bunch of stuff just to change a single line. If yes, could you add the steps to compile only `editcap.c` to the answer? – Utku Nov 03 '17 at 01:45
  • While you don't necessarily have to compile everything, it's not as simple as just compiling a single file. First you'll have to set up a development environment for your system, see: https://www.wireshark.org/docs/wsdg_html_chunked/, then you'll have to compile it via either autotools or cmake. If using autotools, you can probably run the configure script and then just disable everything except for editcap. If using cmake, the next step is to run msbuild in your build directory, something like: "msbuild /m /p:Configuration=RelWithDebInfo editcap.vcxproj" – Christopher Maynard Nov 03 '17 at 03:23
  • @Christopher Maynard From my tests 512 works (which makes sense since the array is 512 in length). So it's "less than or equal to 512". – pchaigno Nov 04 '17 at 12:46
1

As Christopher Maynard explained, you can only select a maximum of 512 packets at once with editcap. This thread on Wireshark mailing list has a bit more information.

If you don't want to change editcap's sources, you could select packets in batches. The following script generates 10000 random numbers and then select packets by batches of 512. The resulting .pcap files are merged into a single .pcap file at the end.

#!/bin/bash
large_number=150000
smaller_number=10000
selected_pkt_numbers=$(shuf -i 0-"$large_number" -n "$smaller_number")
for j in `seq 0 512 $smaller_number`; do
    endrange=$((j+512))
    if [ "$endrange" -gt "$smaller_number" ]; then
        endrange=$smaller_number
    fi
    # Selects numbers $j to $endrange from the generated random numbers:
    echo "$j - $endrange"
    pkt_numbers=$(echo $selected_pkt_numbers | awk -v start="$j" -v end="$endrange" '{ out=""; for (i=start+1; i<=end; i++) out=out" "$i; print out}')
    editcap -r $1 $2-$j.pcap $pkt_numbers
done
mergecap -w $2.pcap `ls $2-*.pcap`

To use it:

$ ./pcap-random.sh input-file.pcap output-file
0 - 512
512 - 1024
[...]
9216 - 9728
9728 - 10000
$
$
$ capinfos output-file.pcap 
File name:           output-file.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Packet size limit:   inferred: 58 bytes
Number of packets:   10 k
[...]

That script will take more time to execute than if you modify editcap's sources. I haven't measured how much. With the parameters you gave it took ~11s to execute.

pchaigno
  • 11,313
  • 2
  • 29
  • 54