Getting the number of packets in a pcap capture file?

Question

I need a program which prints the number of packets in a capture file which uses the pcap format. This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information.

So, I believe the only algorithm is to loop over all the packets and sum them. It is in O(N) and, for large traces, quite long.

I post here to see if someone has a cleverer idea?

I tagged with "C" because it is the language I currently use but I believe it is a language-independant issue.

"This number does not seem available in the pcap header (probably because it is written before the capture starts) and it does not seem there is a "footer" in the file, with this information." Yes, that's why it's not in the header (pcap files can be written to a pipe, so you can't seek back and rewrite the header when you're done), and, no, there is no footer. — , Mar 28 '14 at 19:28

score 20 · Accepted Answer · answered Mar 28 '09 at 07:37

20

Robert Edmonds, author of pcaputils, mentioned to me that there is already a program doing what I want, capinfos, in the Wireshark package. It displays various indications about a pcap file, including the number of packets it contain.

Reading the code source, it appears to work by walking the whole file, sequentially.

answered Mar 28 '09 at 07:37

bortzmeyer

34,164
12
67
91

That is exactly how it works. In the general case (Wireshark can read a number of different capture file formats, including pcap and pcap-ng), that's the only way it can work, as most file formats don't have a packet count at the beginning. – Mar 28 '14 at 19:25
For displaying the exact number of packets and not the human readable version try the following command: capinfos -Mc file.pcap | grep "Number" | tr -d " " | cut -d ":" -f 2 – schuess Sep 26 '17 at 14:18

UnX · Answer 2 · 2014-03-30T14:46:39.120

7

If you want the number of Frames in the pcap :

tshark -r test.cap | wc -l

Using capinfos:

capinfos test.cap | grep "Number of packets"| tr -d " " | cut -d ":" -f 2

Using tcpdump:

tcpdump -r test.cap 2>/dev/null| wc -l

So basically, use libpcap, here is an example :

#include <stdio.h>
#include <pcap.h>
#include <stdlib.h>

int main(int argc, char **argv) 
{ 
  unsigned int packet_counter=0;
  struct pcap_pkthdr header; 
  const u_char *packet;

  if (argc < 2) { 
    fprintf(stderr, "Usage: %s <pcap>\n", argv[0]); 
    exit(1); 
  } 

   pcap_t *handle; 
   char errbuf[PCAP_ERRBUF_SIZE];  
   handle = pcap_open_offline(argv[1], errbuf); 

   if (handle == NULL) { 
     fprintf(stderr,"Couldn't open pcap file %s: %s\n", argv[1], errbuf); 
     return(2); 
   } 

   while (packet = pcap_next(handle,&header)) { 

      packet_counter++;

    } 
    pcap_close(handle);


  printf("%d\n", packet_counter);
  return 0;
}

NOTE: you need to install the libpcap headers (on Linux search for libpcap dev/devel package)

Then compile with gcc -o myprogram myprogram.c -lpcap

edited Mar 30 '14 at 14:46

answered Mar 27 '14 at 23:33

UnX

421
3
6

2

Or just run capinfos, which, like tshark, is part of the Wireshark distribution and which does a lot less work and will produce the answer faster. – Mar 28 '14 at 19:26
If the circumstances are "you have Wireshark installed, it's not a version so old that it doesn't have capinfos, and you want a quick count of packets in a file", the best way to do things is to use capinfos. – Mar 29 '14 at 18:43
I'm not sure what's the problem with my answer but the question was – UnX Mar 30 '14 at 01:03
This also produces a number of packets ( just the number) capinfos test.cap|grep "Number of packets"| tr -d " "| cut -d ":" -f 2 – UnX Mar 30 '14 at 01:20
"I'm not sure what's the problem with my answer" The problem with your original answer is that it was overkill. It's sort of like going to the house next door by walking around the block. – Mar 30 '14 at 03:29
straight lines can be curves and vice versa, it all depends on the referential.. :) – UnX Mar 30 '14 at 13:38
1

argument `-M` to capinfos to override the human-readable default – schuess Sep 22 '17 at 16:04
Instead of `grep`/`tr` and `cut` you can (now?) simply use `-c`, at best in combination with `-M` like already noted: capinfos dump.pcap -c -M – Murmel Sep 24 '18 at 13:47

score 5 · Answer 3 · answered Oct 30 '11 at 00:51

The only way to determine how many packets are in the file is to read the entire file. There is, in fact, no packet count in the file header (because the format was designed to be writable in one pass), and there is, in fact, no footer.

score 1 · Answer 4 · answered Mar 25 '09 at 10:41

1

The only method I know of is to read the file, captured frame by captured frame and increment a "packet counter. There is, however, a small frame header that contains the length of the stored frame, so you could seek forward in the file by that length. It may not be any faster, mind you.

However, if you're interested in doing more than simply count the number of captured frames, it may make sense to read through the data and build a chain of captured frames while counting them, for future use. My PCAP library for Common Lisp does this. It reads "next frame" on an as-needed basis, storing raw frames in a double-linked list for easier future "next/previous" frame navigation, reading more frames from disk as needed. However, the parsing of the frame contents are left to the library user's discretion and isn't enforced by simply reading the frame octets into the data structure.

answered Mar 25 '09 at 10:41

Vatine

20,782
4
54
70

In C, there is no need to use the "small frame header that contains the length of the stored frame", pcap_next() does it for you. – bortzmeyer Mar 25 '09 at 11:06
My library can be downloaded from http://src.hexapodia.net/pcap.tar.gz. I suspect using pcap_next() will do some frame parsing and tha may make things arbritarily slower, one of the reasons I split "read packet" from "parse packet". – Vatine Mar 25 '09 at 11:12
Nervertheless, accessing directly the trace, instead on relying on pcap_next() seems dangerous to me. I prefer using the official API. Thanks for the code, it's a long time since I've read Lisp. – bortzmeyer Mar 28 '09 at 07:39

score 0 · Answer 5 · answered Jan 12 '22 at 19:41

you can use tshark with -qz to print statistics for the .pcap file

for example, to analyze the file in 5-sec intervals:

❯ tshark -r file1.pcap -qz io,stat,5,"COUNT(frame) frame"

=============================
| IO Statistics             |
|                           |
| Duration: 17. 29551 secs  |
| Interval:  5 secs         |
|                           |
| Col 1: COUNT(frame) frame |
|---------------------------|
|          |1      |        |
| Interval | COUNT |        |
|------------------|        |
|  0 <>  5 |    10 |        |
|  5 <> 10 |    10 |        |
| 10 <> 15 |    10 |        |
| 15 <> Dur|     6 |        |
=============================

same file, now using a single 30-sec interval

❯ tshark -r file1.pcap -qz io,stat,30,"COUNT(frame) frame"

==================================
| IO Statistics                  |
|                                |
| Duration: 17.0 secs            |
| Interval: 17.0 secs            |
|                                |
| Col 1: COUNT(frame) frame      |
|--------------------------------|
|              |1      |         |
| Interval     | COUNT |         |
|----------------------|         |
|  0.0 <> 17.0 |    36 |         |
==================================

Getting the number of packets in a pcap capture file?

5 Answers5