Add --skip option to skip some packets before writing or printing

With this change, we can write/print some contiguous packets from a file.
We can also skip some packets doing a live capture.

The '--skip 0' option is allowed to help some loop in a shell script.

Examples:

Skip 3 packets when printing:
tcpdump -#n --skip 3 -r in.pcap

Write the sixth packet, if any:
tcpdump --skip 5 -c 1 -r in.pcap -w out.pcap

Write up to 5 packets after skipping 3:
tcpdump --skip 3 -c 5 -r in.pcap -w out.pcap

Author: fxlb

CHANGES

@@ -37,6 +37,7 @@ DayOfTheWeek, Month DD, YYYY / The Tcpdump Group
       Add optional unit suffix on -C file size.
       Add --print-sampling to print every Nth packet instead of all.
       Add --lengths option to print the captured and original packet lengths.
+      Add --skip option to skip some packets before writing or printing.
     Source code:
       Drop support for building with versions of libpcap that don't
         support all the libpcap 1.0 APIs.

tcpdump.1.in

@@ -108,17 +108,21 @@ tcpdump \- dump traffic on a network
 .I snaplen
 ]
 [
+.B \-\-skip
+.I count
+]
+[
 .B \-T
 .I type
 ]
 [
 .B \-\-version
 ]
+.ti +8
 [
 .B \-V
 .I file
 ]
-.ti +8
 [
 .B \-w
 .I file
@@ -275,7 +279,10 @@ Set the operating system capture buffer size to \fIbuffer_size\fP, in
 units of KiB (1024 bytes).
 .TP
 .BI \-c " count"
-Exit after receiving \fIcount\fP packets.
+Exit after receiving or reading \fIcount\fP packets.
+If the
+.B --skip
+option is used, the \fIcount\fP starts after the skipped packets.
 .TP
 .BI \-\-count
 Print only on stdout the packet count when reading capture file(s) instead
@@ -761,6 +768,10 @@ protocol information you're interested in.  Setting
 for backwards compatibility with recent older versions of
 .IR tcpdump .
 .TP
+.BI \-\-skip " count"
+Skip \fIcount\fP packets before writing or printing.
+\fIcount\fP with value 0 is allowed.
+.TP
 .BI \-T " type"
 Force packets selected by "\fIexpression\fP" to be interpreted the
 specified \fItype\fR.

tcpdump.c

@@ -211,6 +211,7 @@ static int timeout = 1000;		/* default timeout = 1000 ms = 1 s */
 static int immediate_mode;
 #endif
 static int count_mode;
+static u_int packets_skipped;
 
 static int infodelay;
 static int infoprint;
@@ -642,6 +643,7 @@ show_remote_devices_and_exit(void)
 #define OPTION_PRINT_SAMPLING		137
 #define OPTION_LENGTHS			138
 #define OPTION_TIME_T_SIZE		139
+#define OPTION_SKIP			140
 
 static const struct option longopts[] = {
 	{ "buffer-size", required_argument, NULL, 'B' },
@@ -684,6 +686,7 @@ static const struct option longopts[] = {
 	{ "print-sampling", required_argument, NULL, OPTION_PRINT_SAMPLING },
 	{ "lengths", no_argument, NULL, OPTION_LENGTHS },
 	{ "time-t-size", no_argument, NULL, OPTION_TIME_T_SIZE },
+	{ "skip", required_argument, NULL, OPTION_SKIP },
 	{ "version", no_argument, NULL, OPTION_VERSION },
 	{ NULL, 0, NULL, 0 }
 };
@@ -1943,6 +1946,14 @@ main(int argc, char **argv)
 				error("invalid print sampling %s", optarg);
 			break;
 
+		case OPTION_SKIP:
+			errno = 0;
+			packets_skipped = (u_int)strtoul(optarg, &end, 0);
+			if (optarg[0] == '-' || optarg == end || *end != '\0' ||
+			    errno != 0)
+				error("invalid packet skipped %s", optarg);
+			break;
+
 #ifdef HAVE_PCAP_SET_TSTAMP_PRECISION
 		case OPTION_TSTAMP_MICRO:
 			ndo->ndo_tstamp_precision = PCAP_TSTAMP_PRECISION_MICRO;
@@ -2569,7 +2580,9 @@ DIAG_ON_ASSIGN_ENUM
 #endif	/* HAVE_CAPSICUM */
 
 	do {
-		status = pcap_loop(pd, cnt, callback, pcap_userdata);
+		status = pcap_loop(pd,
+				   cnt + (cnt == -1 ? 0 : packets_skipped),
+				   callback, pcap_userdata);
 		if (WFileName == NULL) {
 			/*
 			 * We're printing packets.  Flush the printed output,
@@ -2931,6 +2944,9 @@ dump_packet_and_trunc(u_char *user, const struct pcap_pkthdr *h, const u_char *s
 
 	dump_info = (struct dump_info *)user;
 
+	if (packets_captured <= packets_skipped)
+		return;
+
 	/*
 	 * XXX - this won't force the file to rotate on the specified time
 	 * boundary, but it will rotate on the first packet received after the
@@ -3060,6 +3076,9 @@ dump_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
 
 	dump_info = (struct dump_info *)user;
 
+	if (packets_captured <= packets_skipped)
+		return;
+
 	pcap_dump((u_char *)dump_info->pdd, h, sp);
 	if (Uflag)
 		pcap_dump_flush(dump_info->pdd);
@@ -3079,7 +3098,7 @@ print_packet(u_char *user, const struct pcap_pkthdr *h, const u_char *sp)
 
 	++infodelay;
 
-	if (!count_mode)
+	if (!count_mode && packets_captured > packets_skipped)
 		pretty_print_packet((netdissect_options *)user, h, sp, packets_captured);
 
 	--infodelay;

tests/TESTLIST

@@ -352,6 +352,10 @@ dns_udp dns_udp.pcap dns_udp.out
 dns_udp-v dns_udp.pcap dns_udp-v.out -v
 dns_udp-vv dns_udp.pcap dns_udp-vv.out -vv
 dns_udp-vvv dns_udp.pcap dns_udp-vvv.out -vvv
+# tests with --skip option
+dns_tcp-skip-3 dns_tcp.pcap dns_tcp-skip-3.out --skip 3
+dns_tcp-skip-3-c-4 dns_tcp.pcap dns_tcp-skip-3-c-4.out --skip 3 -c 4
+dns_tcp-skip-3-c-1 dns_tcp.pcap dns_tcp-skip-3-c-1.out --skip 3 -c 1
 
 # DNS on non-standard ports.
 dns_tcp_8053 dns_tcp_8053.pcap dns_tcp_8053.out -vv

tests/dns_tcp-skip-3-c-1.out

@@ -0,0 +1 @@
+    4  2020-06-10 09:21:03.847323 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [P.], seq 603899917:603899975, ack 2043824404, win 64240, length 58 17177+ [1au] A? www.tcpdump.org. (56)

tests/dns_tcp-skip-3-c-4.out

@@ -0,0 +1,4 @@
+    4  2020-06-10 09:21:03.847323 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [P.], seq 603899917:603899975, ack 2043824404, win 64240, length 58 17177+ [1au] A? www.tcpdump.org. (56)
+    5  2020-06-10 09:21:03.847457 IP 209.87.249.18.53 > 192.168.1.11.33779: Flags [.], ack 58, win 64240, length 0
+    6  2020-06-10 09:21:03.973180 IP 209.87.249.18.53 > 192.168.1.11.33779: Flags [P.], seq 1:227, ack 58, win 64240, length 226 17177*- 2/2/5 A 192.139.46.66, A 198.199.88.104 (224)
+    7  2020-06-10 09:21:03.973220 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [.], ack 227, win 64014, length 0

tests/dns_tcp-skip-3.out

@@ -0,0 +1,8 @@
+    4  2020-06-10 09:21:03.847323 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [P.], seq 603899917:603899975, ack 2043824404, win 64240, length 58 17177+ [1au] A? www.tcpdump.org. (56)
+    5  2020-06-10 09:21:03.847457 IP 209.87.249.18.53 > 192.168.1.11.33779: Flags [.], ack 58, win 64240, length 0
+    6  2020-06-10 09:21:03.973180 IP 209.87.249.18.53 > 192.168.1.11.33779: Flags [P.], seq 1:227, ack 58, win 64240, length 226 17177*- 2/2/5 A 192.139.46.66, A 198.199.88.104 (224)
+    7  2020-06-10 09:21:03.973220 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [.], ack 227, win 64014, length 0
+    8  2020-06-10 09:21:03.974844 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [F.], seq 58, ack 227, win 64014, length 0
+    9  2020-06-10 09:21:03.975246 IP 209.87.249.18.53 > 192.168.1.11.33779: Flags [.], ack 59, win 64239, length 0
+   10  2020-06-10 09:21:04.101184 IP 209.87.249.18.53 > 192.168.1.11.33779: Flags [FP.], seq 227, ack 59, win 64239, length 0
+   11  2020-06-10 09:21:04.101256 IP 192.168.1.11.33779 > 209.87.249.18.53: Flags [.], ack 228, win 64014, length 0