D.7. editcap: Edit capture files

Included with Wireshark is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as to print information about capture files.

Example D.4. Help information available from editcap

$ editcap -h
Editcap 1.4.0
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        don't output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss).
  -B <stop time>         don't output packets whose timestamp is after the
                         given time (format as YYYY-MM-DD hh:mm:ss).

Duplicate packet removal:
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).

           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -v may not always work as expected.
           Specifically the -r and -t options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C <choplen>           chop each packet at the end by <choplen> bytes.
  -t <time adjustment>   adjust the timestamp of each packet;
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to insure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.)
                         that a particular packet byte will be randomly changed.

Output File(s):
  -c <packets per file>  split the packet output to different files
                         based on uniform packet counts
                         with a maximum of <packets per file> each.
  -i <seconds per file>  split the packet output to different files
                         based on uniform time intervals
                         with a maximum of <seconds per file> each.
  -F <capture type>      set the output file type; default is libpcap.
                         an empty "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type;
                         default is the same as the input file.
                         an empty "-T" option will list the encapsulation types.

Miscellaneous:
  -h                     display this help and exit.
  -v                     verbose output.
                         If -v is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-out.

      


Example D.5. Capture file types available from editcap

$ editcap -F
editcap: option requires an argument -- F
editcap: The available capture file types for the "-F" flag are:
    libpcap - Wireshark/tcpdump/... - libpcap
    nseclibpcap - Wireshark - nanosecond libpcap
    modlibpcap - Modified tcpdump - libpcap
    nokialibpcap - Nokia tcpdump - libpcap
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    5views - Accellent 5Views capture
    dct2000 - Catapult DCT2000 trace (.out format)
    nettl - HP-UX nettl trace
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserverv9 - Network Instruments Observer (V9)
    lanalyzer - Novell LANalyzer
    snoop - Sun snoop
    rf5 - Tektronix K12xx 32-bit .rf5 format
    visual - Visual Networks traffic capture
    k12text - K12 text file
    commview - TamoSoft CommView
    pcapng - Wireshark - pcapng (experimental)
    btsnoop - Symbian OS btsnoop
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
      


Example D.6. Encapsulation types available from editcap


$ editcap -T
editcap: option requires an argument -- T
editcap: The available encapsulation types for the "-T" flag are:
    unknown - Unknown
    ether - Ethernet
    tr - Token Ring
    slip - SLIP
    ppp - PPP
    fddi - FDDI
    fddi-swapped - FDDI with bit-swapped MAC addresses
    rawip - Raw IP
    arcnet - ARCNET
    arcnet_linux - Linux ARCNET
    atm-rfc1483 - RFC 1483 ATM
    linux-atm-clip - Linux ATM CLIP
    lapb - LAPB
    atm-pdus - ATM PDUs
    atm-pdus-untruncated - ATM PDUs - untruncated
    null - NULL
    ascend - Lucent/Ascend access equipment
    isdn - ISDN
    ip-over-fc - RFC 2625 IP-over-Fibre Channel
    ppp-with-direction - PPP with Directional Info
    ieee-802-11 - IEEE 802.11 Wireless LAN
    prism - IEEE 802.11 plus Prism II monitor mode header
    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
    ieee-802-11-radiotap - IEEE 802.11 plus radiotap WLAN header
    ieee-802-11-avs - IEEE 802.11 plus AVS WLAN header
    linux-sll - Linux cooked-mode capture
    frelay - Frame Relay
    frelay-with-direction - Frame Relay with Directional Info
    chdlc - Cisco HDLC
    ios - Cisco IOS internal
    ltalk - Localtalk
    pflog-old - OpenBSD PF Firewall logs, pre-3.4
    hhdlc - HiPath HDLC
    docsis - Data Over Cable Service Interface Specification
    cosine - CoSine L2 debug log
    whdlc - Wellfleet HDLC
    sdlc - SDLC
    tzsp - Tazmen sniffer protocol
    enc - OpenBSD enc(4) encapsulating interface
    pflog - OpenBSD PF Firewall logs
    chdlc-with-direction - Cisco HDLC with Directional Info
    bluetooth-h4 - Bluetooth H4
    mtp2 - SS7 MTP2
    mtp3 - SS7 MTP3
    irda - IrDA
    user0 - USER 0
    user1 - USER 1
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    symantec - Symantec Enterprise Firewall
    ap1394 - Apple IP-over-IEEE 1394
    bacnet-ms-tp - BACnet MS/TP
    raw-icmp-nettl - Raw ICMP with nettl headers
    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
    gprs-llc - GPRS LLC
    juniper-atm1 - Juniper ATM1
    juniper-atm2 - Juniper ATM2
    redback - Redback SmartEdge
    rawip-nettl - Raw IP with nettl headers
    ether-nettl - Ethernet with nettl headers
    tr-nettl - Token Ring with nettl headers
    fddi-nettl - FDDI with nettl headers
    unknown-nettl - Unknown link-layer type with nettl headers
    mtp2-with-phdr - MTP2 with pseudoheader
    juniper-pppoe - Juniper PPPoE
    gcom-tie1 - GCOM TIE1
    gcom-serial - GCOM Serial
    x25-nettl - X25 with nettl headers
    k12 - K12 protocol analyzer
    juniper-mlppp - Juniper MLPPP
    juniper-mlfr - Juniper MLFR
    juniper-ether - Juniper Ethernet
    juniper-ppp - Juniper PPP
    juniper-frelay - Juniper Frame-Relay
    juniper-chdlc - Juniper C-HDLC
    juniper-ggsn - Juniper GGSN
    lapd - LAPD
    dct2000 - Catapult DCT2000
    ber - ASN.1 Basic Encoding Rules
    juniper-vp - Juniper Voice PIC
    usb - Raw USB packets
    ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
    raw-telnet-nettl - Raw telnet with nettl headers
    usb-linux - USB packets with Linux header
    mpeg - MPEG
    ppi - Per-Packet Information header
    erf - Endace Record File
    bluetooth-h4 - Bluetooth H4 with linux header
    sita-wan - SITA WAN packets
    sccp - SS7 SCCP
    bluetooth-hci - Bluetooth without transport layer
    ipmb - Intelligent Platform Management Bus
    wpan - IEEE 802.15.4 Wireless PAN
    x2e-xoraya - X2E Xoraya
    flexray - FlexRay
    lin - Local Interconnect Network
    most - Media Oriented Systems Transport
    can20b - Controller Area Network 2.0B
    layer1-event - EyeSDN Layer 1 event
    x2e-serial - X2E serial line capture
    i2c - I2C
    wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
    tnef - Transport-Neutral Encapsulation Format
    usb-linux-mmap - USB packets with Linux header and padding
    gsm_um - GSM Um Interface
    dpnss_link - Digital Private Signalling System No 1 Link Layer
    packetlogger - PacketLogger
    nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
    nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
    fc2 - Fibre Channel FC-2
    fc2sof - Fibre Channel FC-2 With Frame Delimiter
    jfif - JPEG/JFIF
    ipnet - Solaris IPNET