D.6.áeditcap: Edit capture files

Included with Wireshark is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as print information about capture files.

ExampleáD.3.áHelp information available from editcap

$ editcap -h
Editcap 0.99.6
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

A single packet or a range of packets can be selected.

Packets:
  -C <choplen>           chop each packet at the end by <choplen> bytes
  -d                     remove duplicate packets
  -E <error probability> set the probability (between 0.0 and 1.0 incl.)
                         that a particular packet byte will be randomly changed
  -r                     keep the selected packets, default is to delete them
  -s <snaplen>           truncate packets to max. <snaplen> bytes of data
  -t <time adjustment>   adjust the timestamp of selected packets,
                         <time adjustment> is in relative seconds (e.g. -0.5)
  -A <start time>        don't output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss)
  -B <stop time>         don't output packets whose timestamp is after the
                         given time (format as YYYY-MM-DD hh:mm:ss)

Output File(s):
  -c <packets per file>  split the packet output to different files,
                         with a maximum of <packets per file> each
  -F <capture type>      set the output file type, default is libpcap
                         an empty "-F" option will list the file types
  -T <encap type>        set the output file encapsulation type,
                         default is the same as the input file
                         an empty "-T" option will list the encapsulation types

Miscellaneous:
  -h                     display this help and exit
  -v                     verbose output

$ editcap -F
editcap: option requires an argument -- F
editcap: The available capture file types for "F":
    libpcap - Wireshark/tcpdump/... - libpcap
    nseclibpcap - Wireshark - nanosecond libpcap
    modlibpcap - Modified tcpdump - libpcap
    nokialibpcap - Nokia tcpdump - libpcap
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    5views - Accellent 5Views capture
    dct2000 - Catapult DCT2000 trace (.out format)
    nettl - HP-UX nettl trace
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserverv9 - Network Instruments Observer (V9)
    lanalyzer - Novell LANalyzer
    snoop - Sun snoop
    rf5 - Tektronix K12xx 32-bit .rf5 format
    visual - Visual Networks traffic capture

$ editcap -T
editcap: option requires an argument -- T
editcap: The available encapsulation types for "T":
    ether - Ethernet
    tr - Token Ring
    slip - SLIP
    ppp - PPP
    fddi - FDDI
    fddi-swapped - FDDI with bit-swapped MAC addresses
    rawip - Raw IP
    arcnet - ARCNET
    arcnet_linux - Linux ARCNET
    atm-rfc1483 - RFC 1483 ATM
    linux-atm-clip - Linux ATM CLIP
    lapb - LAPB
    atm-pdus - ATM PDUs
    atm-pdus-untruncated - ATM PDUs - untruncated
    null - NULL
    ascend - Lucent/Ascend access equipment
    isdn - ISDN
    ip-over-fc - RFC 2625 IP-over-Fibre Channel
    ppp-with-direction - PPP with Directional Info
    ieee-802-11 - IEEE 802.11 Wireless LAN
    prism - IEEE 802.11 plus Prism II monitor mode header
    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
    ieee-802-11-radiotap - IEEE 802.11 plus radiotap WLAN header
    ieee-802-11-avs - IEEE 802.11 plus AVS WLAN header
    linux-sll - Linux cooked-mode capture
    frelay - Frame Relay
    frelay-with-direction - Frame Relay with Directional Info
    chdlc - Cisco HDLC
    ios - Cisco IOS internal
    ltalk - Localtalk
    pflog-old - OpenBSD PF Firewall logs, pre-3.4
    hhdlc - HiPath HDLC
    docsis - Data Over Cable Service Interface Specification
    cosine - CoSine L2 debug log
    whdlc - Wellfleet HDLC
    sdlc - SDLC
    tzsp - Tazmen sniffer protocol
    enc - OpenBSD enc(4) encapsulating interface
    pflog - OpenBSD PF Firewall logs
    chdlc-with-direction - Cisco HDLC with Directional Info
    bluetooth-h4 - Bluetooth H4
    mtp2 - SS7 MTP2
    mtp3 - SS7 MTP3
    irda - IrDA
    user0 - USER 0
    user1 - USER 1
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    symantec - Symantec Enterprise Firewall
    ap1394 - Apple IP-over-IEEE 1394
    bacnet-ms-tp - BACnet MS/TP
    raw-icmp-nettl - Raw ICMP with nettl headers
    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
    gprs-llc - GPRS LLC
    juniper-atm1 - Juniper ATM1
    juniper-atm2 - Juniper ATM2
    redback - Redback SmartEdge
    rawip-nettl - Raw IP with nettl headers
    ether-nettl - Ethernet with nettl headers
    tr-nettl - Token Ring with nettl headers
    fddi-nettl - FDDI with nettl headers
    unknown-nettl - Unknown link-layer type with nettl headers
    mtp2-with-phdr - MTP2 with pseudoheader
    juniper-pppoe - Juniper PPPoE
    gcom-tie1 - GCOM TIE1
    gcom-serial - GCOM Serial
    x25-nettl - X25 with nettl headers
    k12 - K12 protocol analyzer
    juniper-mlppp - Juniper MLPPP
    juniper-mlfr - Juniper MLFR
    juniper-ether - Juniper Ethernet
    juniper-ppp - Juniper PPP
    juniper-frelay - Juniper Frame-Relay
    juniper-chdlc - Juniper C-HDLC
    juniper-ggsn - Juniper GGSN
    lapd - LAPD
    dct2000 - Catapult DCT2000
    ber - ASN.1 Basic Encoding Rules
      

Where each option has the following meaning:

-r

This option specifies that the frames listed should be kept, not deleted. The default is to delete the listed frames.

-h

This option provides help.

-v

This option specifies verbose operation. The default is silent operation.

-T {encap type}

This option specifies the frame encapsulation type to use.

It is mainly for converting funny captures to something that Wireshark can deal with.

The default frame encapsulation type is the same as the input encapsulation.

-F {capture type}

This option specifies the capture file format to write the output file in.

The default is libpcap format.

-s {snaplen}

Specifies that packets should be truncated to {snaplen} bytes of data.

-t {time adjustment}

Specifies the time adjustment to be applied to selected packets.

{infile}

This parameter specifies the input file to use. It must be present.

{outfile}

This parameter specifies the output file to use. It must be present.

[record#[-][record# ...]]

This optional parameter specifies the records to include or exclude (depending on the -r option. You can specify individual records or a range of records.