1EDITCAP(1) The Wireshark Network Analyzer EDITCAP(1)
2
3
4
6 editcap - Edit and/or translate the format of capture files
7
9 editcap [ -c <packets per file> ] [ -C <choplen> ] [ -d ]
10 [ -E <error probability> ] [ -F <file format> ] [ -A <start time> ]
11 [ -B <stop time> ] [ -h ] [ -r ] [ -s <snaplen> ] [ -t <time adjust‐
12 ment> ] [ -T <encapsulation type> ] [ -v ] infile outfile
13 [ packet#[-packet#] ... ]
14
16 Editcap is a program that reads some or all of the captured packets
17 from the infile, optionally converts them in various ways and writes
18 the resulting packets to the capture outfile (or outfiles).
19
20 By default, it reads all packets from the infile and writes them to the
21 outfile in libpcap file format.
22
23 A list of packet numbers can be specified on the command line; ranges
24 of packet numbers can be specified as start-end, referring to all pack‐
25 ets from start to end. The selected packets with those numbers will
26 not be written to the capture file. If the -r flag is specified, the
27 whole packet selection is reversed; in that case only the selected
28 packets will be written to the capture file.
29
30 Editcap is able to detect, read and write the same capture files that
31 are supported by Wireshark. The input file doesn't need a specific
32 filename extension; the file format and an optional gzip compression
33 will be automatically detected. Near the beginning of the DESCRIPTION
34 section of wireshark(1) or <http://www.wire‐
35 shark.org/docs/man-pages/wireshark.html> is a detailed description of
36 the way Wireshark handles this, which is the same way Editcap handles
37 this.
38
39 Editcap can write the file in several output formats. The -F flag can
40 be used to specify the format in which to write the capture file, edit‐
41 cap -F provides a list of the available output formats.
42
44 -c <packets per file>
45 Sets the maximum number of packets per output file. Each output
46 file will be created with a suffix -nnnnn, starting with 00000. If
47 the specified number of packets are written to the output file, the
48 next output file is opened. The default is to use a single output
49 file.
50
51 -C <choplen>
52 Sets the chop length to use when writing the packet data. Each
53 packet is chopped at the packet end by a few <choplen> bytes of
54 data.
55
56 This is useful in the rare case that the conversion between two
57 file formats leaves some random bytes at the end of each packet.
58
59 -d Attempts to remove duplicate packets. The length and MD5 sum of
60 the current packet are compared to the previous four packets. If a
61 match is found, the packet is skipped.
62
63 -E <error probability>
64 Sets the probabilty that bytes in the output file are randomly
65 changed. Editcap uses that probability (between 0.0 and 1.0 inclu‐
66 sive) to apply errors to each data byte in the file. For instance,
67 a probability of 0.02 means that each byte has a 2% chance of hav‐
68 ing an error.
69
70 This option is meant to be used for fuzz-testing protocol dissec‐
71 tors.
72
73 -F <file format>
74 Sets the file format of the output capture file. Editcap can write
75 the file in several formats, editcap -F provides a list of the
76 available output formats. The default is the libpcap format.
77
78 -A <start time>
79 Saves only the packets whose timestamp is on or after start time.
80 The time is given in the following format YYYY-MM-DD HH:MM:SS
81
82 -B <stop time>
83 Saves only the packets whose timestamp is on or before stop time.
84 The time is given in the following format YYYY-MM-DD HH:MM:SS
85
86 -h Prints the version and options and exits.
87
88 -r Reverse the packet selection. Causes the packets whose packet num‐
89 bers are specified on the command line to be written to the output
90 capture file, instead of discarding them.
91
92 -s <snaplen>
93 Sets the snapshot length to use when writing the data. If the -s
94 flag is used to specify a snapshot length, packets in the input
95 file with more captured data than the specified snapshot length
96 will have only the amount of data specified by the snapshot length
97 written to the output file.
98
99 This may be useful if the program that is to read the output file
100 cannot handle packets larger than a certain size (for example, the
101 versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject
102 Ethernet packets larger than the standard Ethernet MTU, making them
103 incapable of handling gigabit Ethernet captures if jumbo packets
104 were used).
105
106 -t <time adjustment>
107 Sets the time adjustment to use on selected packets. If the -t
108 flag is used to specify a time adjustment, the specified adjustment
109 will be applied to all selected packets in the capture file. The
110 adjustment is specified as [-]seconds[.fractional seconds]. For
111 example, -t 3600 advances the timestamp on selected packets by one
112 hour while -t -0.5 reduces the timestamp on selected packets by
113 one-half second.
114
115 This feature is useful when synchronizing dumps collected on dif‐
116 ferent machines where the time difference between the two machines
117 is known or can be estimated.
118
119 -T <encapsulation type>
120 Sets the packet encapsulation type of the output capture file. If
121 the -T flag is used to specify an encapsulation type, the encapsu‐
122 lation type of the output capture file will be forced to the speci‐
123 fied type. editcap -T provides a list of the available types. The
124 default type is the one appropriate to the encapsulation type of
125 the input capture file.
126
127 Note: this merely forces the encapsulation type of the output file
128 to be the specified type; the packet headers of the packets will
129 not be translated from the encapsulation type of the input capture
130 file to the specified encapsulation type (for example, it will not
131 translate an Ethernet capture to an FDDI capture if an Ethernet
132 capture is read and '-T fddi' is specified). If you need to
133 remove/add headers from/to a packet, you will need
134 od(1)/text2pcap(1).
135
136 -v Causes editcap to print verbose messages while it's working.
137
139 To see more detailed description of the options use:
140
141 editcap -h
142
143 To shrink the capture file by truncating the packets at 64 bytes and
144 writing it as Sun snoop file use:
145
146 editcap -s 64 -F snoop capture.pcap shortcapture.snoop
147
148 To delete packet 1000 from the capture file use:
149
150 editcap capture.pcap sans1000.pcap 1000
151
152 To limit a capture file to packets from number 200 to 750 (inclusive)
153 use:
154
155 editcap -r capture.pcap small.pcap 200-750
156
157 To get all packets from number 1-500 (inclusive) use:
158
159 editcap -r capture.pcap 500.pcap 1-500
160
161 or
162
163 editcap capture.pcap 500.pcap 501-9999999
164
165 To filter out packets 10 to 20 and 30 to 40 into a new file use:
166
167 editcap capture.pcap selection.pcap 10-20 30-40
168
169 To introduce 5% random errors in a capture file use:
170
171 editcap -E 0.05 capture.pcap capture_error.pcap
172
174 tcpdump(8), pcap(3), wireshark(1), tshark(1), mergecap(1), dumpcap(1),
175 capinfos(1), text2pcap(1), od(1)
176
178 Editcap is part of the Wireshark distribution. The latest version of
179 Wireshark can be found at <http://www.wireshark.org>.
180
181 HTML versions of the Wireshark project man pages are available at:
182 <http://www.wireshark.org/docs/man-pages>.
183
185 Original Author
186 -------- ------
187 Richard Sharpe <sharpe[AT]ns.aus.com>
188
189 Contributors
190 ------------
191 Guy Harris <guy[AT]alum.mit.edu>
192 Ulf Lamping <ulf.lamping[AT]web.de>
193
194
195
1961.0.0 2008-03-29 EDITCAP(1)