Getting the number of packets in a pcap capture file?

Question

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information.

So, I believe the only algorithm is to loop over all the packets and sum them. It is in O(N) and, for large traces, quite long.

I post here to see if someone has a cleverer idea?

I tagged with "C" because it is the language I currently use but I believe it is a language-independant issue.

Answer 1

you can use tshark with -qz to print statistics for the .pcap file

for example, to analyze the file in 5-sec intervals:

❯ tshark -r file1.pcap -qz io,stat,5,"COUNT(frame) frame"

=============================
| IO Statistics             |
|                           |
| Duration: 17. 29551 secs  |
| Interval:  5 secs         |
|                           |
| Col 1: COUNT(frame) frame |
|---------------------------|
|          |1      |        |
| Interval | COUNT |        |
|------------------|        |
|  0 <>  5 |    10 |        |
|  5 <> 10 |    10 |        |
| 10 <> 15 |    10 |        |
| 15 <> Dur|     6 |        |
=============================

same file, now using a single 30-sec interval

❯ tshark -r file1.pcap -qz io,stat,30,"COUNT(frame) frame"

==================================
| IO Statistics                  |
|                                |
| Duration: 17.0 secs            |
| Interval: 17.0 secs            |
|                                |
| Col 1: COUNT(frame) frame      |
|--------------------------------|
|              |1      |         |
| Interval     | COUNT |         |
|----------------------|         |
|  0.0 <> 17.0 |    36 |         |
==================================

Answer 2

If you want the number of Frames in the pcap :

tshark -r test.cap | wc -l

Using capinfos:

capinfos test.cap | grep "Number of packets"| tr -d " " | cut -d ":" -f 2

Using tcpdump:

tcpdump -r test.cap 2>/dev/null| wc -l

So basically, use libpcap, here is an example :

#include <stdio.h>
#include <pcap.h>
#include <stdlib.h>

int main(int argc, char **argv) 
{ 
  unsigned int packet_counter=0;
  struct pcap_pkthdr header; 
  const u_char *packet;

  if (argc < 2) { 
    fprintf(stderr, "Usage: %s <pcap>\n", argv[0]); 
    exit(1); 
  } 

   pcap_t *handle; 
   char errbuf[PCAP_ERRBUF_SIZE];  
   handle = pcap_open_offline(argv[1], errbuf); 

   if (handle == NULL) { 
     fprintf(stderr,"Couldn't open pcap file %s: %s\n", argv[1], errbuf); 
     return(2); 
   } 

   while (packet = pcap_next(handle,&header)) { 

      packet_counter++;

    } 
    pcap_close(handle);


  printf("%d\n", packet_counter);
  return 0;
}

NOTE: you need to install the libpcap headers (on Linux search for libpcap dev/devel package)

Then compile with gcc -o myprogram myprogram.c -lpcap

Answer 3

The only way to determine how many packets are in the file is to read the entire file. There is, in fact, no packet count in the file header (because the format was designed to be writable in one pass), and there is, in fact, no footer.

Answer 4

Robert Edmonds, author of pcaputils, mentioned to me that there is already a program doing what I want, capinfos, in the Wireshark package. It displays various indications about a pcap file, including the number of packets it contain.

Reading the code source, it appears to work by walking the whole file, sequentially.

Answer 5

The only method I know of is to read the file, captured frame by captured frame and increment a "packet counter. There is, however, a small frame header that contains the length of the stored frame, so you could seek forward in the file by that length. It may not be any faster, mind you.

However, if you're interested in doing more than simply count the number of captured frames, it may make sense to read through the data and build a chain of captured frames while counting them, for future use. My PCAP library for Common Lisp does this. It reads "next frame" on an as-needed basis, storing raw frames in a double-linked list for easier future "next/previous" frame navigation, reading more frames from disk as needed. However, the parsing of the frame contents are left to the library user's discretion and isn't enforced by simply reading the frame octets into the data structure.