Included with Wireshark is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as to print information about capture files.
Example D.4. Help information available from editcap
$ editcap -h
Editcap 1.4.0
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
<infile> and <outfile> must both be present.
A single packet or a range of packets can be selected.
Packet selection:
-r keep the selected packets; default is to delete them.
-A <start time> don't output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss).
-B <stop time> don't output packets whose timestamp is after the
given time (format as YYYY-MM-DD hh:mm:ss).
Duplicate packet removal:
-d remove packet if duplicate (window == 5).
-D <dup window> remove packet if duplicate; configurable <dup window>
Valid <dup window> values are 0 to 1000000.
NOTE: A <dup window> of 0 with -v (verbose option) is
useful to print MD5 hashes.
-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
LESS THAN <dup time window> prior to current packet.
A <dup time window> is specified in relative seconds
(e.g. 0.000001).
NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -v may not always work as expected.
Specifically the -r and -t options will very likely NOT have the
desired effect if combined with the -d, -D or -w.
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C <choplen> chop each packet at the end by <choplen> bytes.
-t <time adjustment> adjust the timestamp of each packet;
<time adjustment> is in relative seconds (e.g. -0.5).
-S <strict adjustment> adjust timestamp of packets if necessary to insure
strict chronological increasing order. The <strict
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E <error probability> set the probability (between 0.0 and 1.0 incl.)
that a particular packet byte will be randomly changed.
Output File(s):
-c <packets per file> split the packet output to different files
based on uniform packet counts
with a maximum of <packets per file> each.
-i <seconds per file> split the packet output to different files
based on uniform time intervals
with a maximum of <seconds per file> each.
-F <capture type> set the output file type; default is libpcap.
an empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type;
default is the same as the input file.
an empty "-T" option will list the encapsulation types.
Miscellaneous:
-h display this help and exit.
-v verbose output.
If -v is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-out.
Example D.5. Capture file types available from editcap
$ editcap -F
editcap: option requires an argument -- F
editcap: The available capture file types for the "-F" flag are:
libpcap - Wireshark/tcpdump/... - libpcap
nseclibpcap - Wireshark - nanosecond libpcap
modlibpcap - Modified tcpdump - libpcap
nokialibpcap - Nokia tcpdump - libpcap
rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
5views - Accellent 5Views capture
dct2000 - Catapult DCT2000 trace (.out format)
nettl - HP-UX nettl trace
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
ngsniffer - NA Sniffer (DOS)
ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
niobserverv9 - Network Instruments Observer (V9)
lanalyzer - Novell LANalyzer
snoop - Sun snoop
rf5 - Tektronix K12xx 32-bit .rf5 format
visual - Visual Networks traffic capture
k12text - K12 text file
commview - TamoSoft CommView
pcapng - Wireshark - pcapng (experimental)
btsnoop - Symbian OS btsnoop
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
$ editcap -T
editcap: option requires an argument -- T
editcap: The available encapsulation types for the "-T" flag are:
unknown - Unknown
ether - Ethernet
tr - Token Ring
slip - SLIP
ppp - PPP
fddi - FDDI
fddi-swapped - FDDI with bit-swapped MAC addresses
rawip - Raw IP
arcnet - ARCNET
arcnet_linux - Linux ARCNET
atm-rfc1483 - RFC 1483 ATM
linux-atm-clip - Linux ATM CLIP
lapb - LAPB
atm-pdus - ATM PDUs
atm-pdus-untruncated - ATM PDUs - untruncated
null - NULL
ascend - Lucent/Ascend access equipment
isdn - ISDN
ip-over-fc - RFC 2625 IP-over-Fibre Channel
ppp-with-direction - PPP with Directional Info
ieee-802-11 - IEEE 802.11 Wireless LAN
prism - IEEE 802.11 plus Prism II monitor mode header
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
ieee-802-11-radiotap - IEEE 802.11 plus radiotap WLAN header
ieee-802-11-avs - IEEE 802.11 plus AVS WLAN header
linux-sll - Linux cooked-mode capture
frelay - Frame Relay
frelay-with-direction - Frame Relay with Directional Info
chdlc - Cisco HDLC
ios - Cisco IOS internal
ltalk - Localtalk
pflog-old - OpenBSD PF Firewall logs, pre-3.4
hhdlc - HiPath HDLC
docsis - Data Over Cable Service Interface Specification
cosine - CoSine L2 debug log
whdlc - Wellfleet HDLC
sdlc - SDLC
tzsp - Tazmen sniffer protocol
enc - OpenBSD enc(4) encapsulating interface
pflog - OpenBSD PF Firewall logs
chdlc-with-direction - Cisco HDLC with Directional Info
bluetooth-h4 - Bluetooth H4
mtp2 - SS7 MTP2
mtp3 - SS7 MTP3
irda - IrDA
user0 - USER 0
user1 - USER 1
user2 - USER 2
user3 - USER 3
user4 - USER 4
user5 - USER 5
user6 - USER 6
user7 - USER 7
user8 - USER 8
user9 - USER 9
user10 - USER 10
user11 - USER 11
user12 - USER 12
user13 - USER 13
user14 - USER 14
user15 - USER 15
symantec - Symantec Enterprise Firewall
ap1394 - Apple IP-over-IEEE 1394
bacnet-ms-tp - BACnet MS/TP
raw-icmp-nettl - Raw ICMP with nettl headers
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
gprs-llc - GPRS LLC
juniper-atm1 - Juniper ATM1
juniper-atm2 - Juniper ATM2
redback - Redback SmartEdge
rawip-nettl - Raw IP with nettl headers
ether-nettl - Ethernet with nettl headers
tr-nettl - Token Ring with nettl headers
fddi-nettl - FDDI with nettl headers
unknown-nettl - Unknown link-layer type with nettl headers
mtp2-with-phdr - MTP2 with pseudoheader
juniper-pppoe - Juniper PPPoE
gcom-tie1 - GCOM TIE1
gcom-serial - GCOM Serial
x25-nettl - X25 with nettl headers
k12 - K12 protocol analyzer
juniper-mlppp - Juniper MLPPP
juniper-mlfr - Juniper MLFR
juniper-ether - Juniper Ethernet
juniper-ppp - Juniper PPP
juniper-frelay - Juniper Frame-Relay
juniper-chdlc - Juniper C-HDLC
juniper-ggsn - Juniper GGSN
lapd - LAPD
dct2000 - Catapult DCT2000
ber - ASN.1 Basic Encoding Rules
juniper-vp - Juniper Voice PIC
usb - Raw USB packets
ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
raw-telnet-nettl - Raw telnet with nettl headers
usb-linux - USB packets with Linux header
mpeg - MPEG
ppi - Per-Packet Information header
erf - Endace Record File
bluetooth-h4 - Bluetooth H4 with linux header
sita-wan - SITA WAN packets
sccp - SS7 SCCP
bluetooth-hci - Bluetooth without transport layer
ipmb - Intelligent Platform Management Bus
wpan - IEEE 802.15.4 Wireless PAN
x2e-xoraya - X2E Xoraya
flexray - FlexRay
lin - Local Interconnect Network
most - Media Oriented Systems Transport
can20b - Controller Area Network 2.0B
layer1-event - EyeSDN Layer 1 event
x2e-serial - X2E serial line capture
i2c - I2C
wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
tnef - Transport-Neutral Encapsulation Format
usb-linux-mmap - USB packets with Linux header and padding
gsm_um - GSM Um Interface
dpnss_link - Digital Private Signalling System No 1 Link Layer
packetlogger - PacketLogger
nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
fc2 - Fibre Channel FC-2
fc2sof - Fibre Channel FC-2 With Frame Delimiter
jfif - JPEG/JFIF
ipnet - Solaris IPNET