When both start and stop timestamp are earlier than the first packet timestamp in the packet checked checked, cppip emits the first two packets from the pcap. It should realize this is an error condition and emit 0 packets.

The bug:

$ cppip -f -D  -e timestamp:2013-06-16:14:06:30.000000-2013-06-18:16:16:30.00000 index.cppip pcap.gz out.pcap
extracting from pcap.gz using index.cppip...
DBG: first pkt ts:              (1402952699) 2014-06-16 14:04:59.944155
DBG: start pkt ts:              (1371416790) 2013-06-16 14:06:30.000000
DBG: stop pkt ts                (1371597390) 2013-06-18 16:16:30.000000
DBG: index level:               1 0
DBG: entered at pkt ts:         2013-06-16 14:06:30.000000
DBG: fuzzy match at iteration:  1
start ts: 2013-06-16 14:06:30.000000 not found, instead fuzzy matched on 2014-06-16 14:04:59.944155
stop ts: 2013-06-18 16:16:30.000000 not found, instead fuzzy matched on 2014-06-16 14:04:59.944195
wrote 2 packets to out.pcap.

I'm not sure if this is still being worked on, but I'm going to throw this out there anyways. When I specify a TS range that is before or after the TS in the index, I get no packets written to the output. I would like to be able to pass it a wider range.

For instance, if I would like to specify a start time, and if that time is before the first TS in the index, have it use that first S in the index instead. The same for end TS that lay after the last TS in the index.

If I'm reading this right, the sanity check just returns you out if the start TS is earlier than the first TS.

Hi,
This patch is needed to build on ubuntu

--- configure.ac~orig 2013-05-04 12:48:03.420621418 +0000
+++ configure.ac 2013-05-04 12:55:09.560611547 +0000
@@ -12,20 +12,24 @@

Checks for libraries.

AC_CHECK_LIB([z], [inflate])
+AC_CHECK_LIB([m], [floor])
AC_CHECK_LIB([tabix], [bgzf_open], ,[AC_MSG_ERROR(cannot find tabixtools library you need to install it or tell me where to find it)])

Checks for header files.

-AC_CHECK_HEADERS([fcntl.h stdlib.h string.h unistd.h])
+AC_CHECK_HEADERS([fcntl.h stdlib.h string.h unistd.h sys/time.h])
AC_CHECK_HEADERS([bgzf.h], ,[AC_MSG_ERROR(cannot find tabixtools header you need to install it or tell me where to find it)])

Checks for typedefs, structures, and compiler characteristics.

+AC_TYPE_OFF_T
AC_TYPE_UINT16_T
AC_TYPE_UINT32_T
AC_TYPE_UINT64_T
AC_TYPE_UINT8_T

Checks for library functions.

-AC_CHECK_FUNCS([memset strerror strtol])
+AC_FUNC_MALLOC
+AC_FUNC_MKTIME
+AC_CHECK_FUNCS([floor gettimeofday memset strdup strerror strtol])

AC_CONFIG_FILES([Makefile src/Makefile])
AC_OUTPUT

./cppip -D -f -e timestamp:2015-10-21:08:33:02-2015-10-21:08:33:20 1445412783.cppip 1445412783.pcap.gz carved-1445412783.pcap
extracting from 1445412783.pcap.gz using 1445412783.cppip...
DBG: first pkt ts: (1445412782) 2015-10-21 07:33:02.690245
DBG: start pkt ts: (1445412782) 2015-10-21 07:33:02.000000
DBG: stop pkt ts (1445412800) 2015-10-21 07:33:20.000000
DBG: index level: 1 0
DBG: entered at pkt ts: 2015-10-21 07:33:02.000000
DBG: fuzzy match at iteration: 1
start ts: 2015-10-21 07:33:02.000000 not found, instead fuzzy matched on 2015-10-21 07:33:02.690245
Segmentation fault

(gdb) bt
#0 0x00007ffff7649d6b in __memcpy_ssse3_back () from /lib64/libc.so.6
#1 0x000000000040335f in extract_by_ts (c=0x60b010) at extract.c:367

./cppip -v 1445412783.cppip
valid cppip index file
version: 1.4
created: 2015-11-02 18:53:49.616815
packets in pcap:1633283
indexing mode: timestamp
index level: 0:0:0:1
record count: 60

I could very likely be doing something incorrectly, let me know if more info is needed.

Also the timestamps I have to input have to be off by and hour or I get an error that the end TS if before the start of the file.