1EDITCAP(1) The Wireshark Network Analyzer EDITCAP(1)
2
3
4
6 editcap - Edit and/or translate the format of capture files
7
9 editcap [ -a <frame:comment> ] [ -A <start time> ] [ -B <stop time> ]
10 [ -c <packets per file> ] [ -C [offset:]<choplen> ]
11 [ -E <error probability> ] [ -F <file format> ] [ -h ]
12 [ -i <seconds per file> ] [ -o <change offset> ] [ -L ] [ -r ]
13 [ -s <snaplen> ] [ -S <strict time adjustment> ]
14 [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -v ]
15 [ --inject-secrets <secrets type>,<file> ] [ --discard-all-secrets ]
16 infile outfile [ packet#[-packet#] ... ]
17
18 editcap -d | -D <dup window> | -w <dup time window> [ -v ]
19 [ -I <bytes to ignore> ] [ --skip-radiotap-header ] infile outfile
20
21 editcap [ -V ]
22
24 Editcap is a program that reads some or all of the captured packets
25 from the infile, optionally converts them in various ways and writes
26 the resulting packets to the capture outfile (or outfiles).
27
28 By default, it reads all packets from the infile and writes them to the
29 outfile in pcapng file format.
30
31 An optional list of packet numbers can be specified on the command
32 tail; individual packet numbers separated by whitespace and/or ranges
33 of packet numbers can be specified as start-end, referring to all
34 packets from start to end. By default the selected packets with those
35 numbers will not be written to the capture file. If the -r flag is
36 specified, the whole packet selection is reversed; in that case only
37 the selected packets will be written to the capture file.
38
39 Editcap can also be used to remove duplicate packets. Several
40 different options (-d, -D and -w) are used to control the packet window
41 or relative time window to be used for duplicate comparison.
42
43 Editcap can be used to assign comment strings to frame numbers.
44
45 Editcap is able to detect, read and write the same capture files that
46 are supported by Wireshark. The input file doesn't need a specific
47 filename extension; the file format and an optional gzip compression
48 will be automatically detected. Near the beginning of the DESCRIPTION
49 section of wireshark(1) or
50 <https://www.wireshark.org/docs/man-pages/wireshark.html> is a detailed
51 description of the way Wireshark handles this, which is the same way
52 Editcap handles this.
53
54 Editcap can write the file in several output formats. The -F flag can
55 be used to specify the format in which to write the capture file;
56 editcap -F provides a list of the available output formats.
57
59 -a <framenum:comment>
60 For the specificed frame number, assign the given comment string.
61 Can be repeated for multiple frames. Quotes should be used with
62 comment strings that include spaces.
63
64 -A <start time>
65 Saves only the packets whose timestamp is on or after start time.
66 The time is given in the following format YYYY-MM-DD HH:MM:SS
67
68 -B <stop time>
69 Saves only the packets whose timestamp is before stop time. The
70 time is given in the following format YYYY-MM-DD HH:MM:SS
71
72 -c <packets per file>
73 Splits the packet output to different files based on uniform packet
74 counts with a maximum of <packets per file> each. Each output file
75 will be created with a suffix -nnnnn, starting with 00000. If the
76 specified number of packets is written to the output file, the next
77 output file is opened. The default is to use a single output file.
78
79 -C [offset:]<choplen>
80 Sets the chop length to use when writing the packet data. Each
81 packet is chopped by <choplen> bytes of data. Positive values chop
82 at the packet beginning while negative values chop at the packet
83 end.
84
85 If an optional offset precedes the <choplen>, then the bytes
86 chopped will be offset from that value. Positive offsets are from
87 the packet beginning, while negative offsets are from the packet
88 end.
89
90 This is useful for chopping headers for decapsulation of an entire
91 capture, removing tunneling headers, or in the rare case that the
92 conversion between two file formats leaves some random bytes at the
93 end of each packet. Another use is for removing vlan tags.
94
95 NOTE: This option can be used more than once, effectively allowing
96 you to chop bytes from up to two different areas of a packet in a
97 single pass provided that you specify at least one chop length as a
98 positive value and at least one as a negative value. All positive
99 chop lengths are added together as are all negative chop lengths.
100
101 -d Attempts to remove duplicate packets. The length and MD5 hash of
102 the current packet are compared to the previous four (4) packets.
103 If a match is found, the current packet is skipped. This option is
104 equivalent to using the option -D 5.
105
106 -D <dup window>
107 Attempts to remove duplicate packets. The length and MD5 hash of
108 the current packet are compared to the previous <dup window> - 1
109 packets. If a match is found, the current packet is skipped.
110
111 The use of the option -D 0 combined with the -v option is useful in
112 that each packet's Packet number, Len and MD5 Hash will be printed
113 to standard out. This verbose output (specifically the MD5 hash
114 strings) can be useful in scripts to identify duplicate packets
115 across trace files.
116
117 The <dup window> is specified as an integer value between 0 and
118 1000000 (inclusive).
119
120 NOTE: Specifying large <dup window> values with large tracefiles
121 can result in very long processing times for editcap.
122
123 -E <error probability>
124 Sets the probability that bytes in the output file are randomly
125 changed. Editcap uses that probability (between 0.0 and 1.0
126 inclusive) to apply errors to each data byte in the file. For
127 instance, a probability of 0.02 means that each byte has a 2%
128 chance of having an error.
129
130 This option is meant to be used for fuzz-testing protocol
131 dissectors.
132
133 -F <file format>
134 Sets the file format of the output capture file. Editcap can write
135 the file in several formats, editcap -F provides a list of the
136 available output formats. The default is the pcapng format.
137
138 -h Prints the version and options and exits.
139
140 -i <seconds per file>
141 Splits the packet output to different files based on uniform time
142 intervals using a maximum interval of <seconds per file> each. Each
143 output file will be created with a suffix -nnnnn, starting with
144 00000. If packets for the specified time interval are written to
145 the output file, the next output file is opened. The default is to
146 use a single output file.
147
148 -I <bytes to ignore>
149 Ignore the specified number of bytes at the beginning of the frame
150 during MD5 hash calculation, unless the frame is too short, then
151 the full frame is used. Useful to remove duplicated packets taken
152 on several routers (different mac addresses for example) e.g. -I 26
153 in case of Ether/IP will ignore ether(14) and IP header(20 - 4(src
154 ip) - 4(dst ip)). The default value is 0.
155
156 -L Adjust the original frame length accordingly when chopping and/or
157 snapping (in addition to the captured length, which is always
158 adjusted regardless of whether -L is specified or not). See also
159 -C <choplen> and -s <snaplen>.
160
161 -o <change offset>
162 When used in conjunction with -E, skip some bytes from the
163 beginning of the packet from being changed. In this way some
164 headers don't get changed, and the fuzzer is more focused on a
165 smaller part of the packet. Keeping a part of the packet fixed the
166 same dissector is triggered, that make the fuzzing more precise.
167
168 -r Reverse the packet selection. Causes the packets whose packet
169 numbers are specified on the command line to be written to the
170 output capture file, instead of discarding them.
171
172 -s <snaplen>
173 Sets the snapshot length to use when writing the data. If the -s
174 flag is used to specify a snapshot length, packets in the input
175 file with more captured data than the specified snapshot length
176 will have only the amount of data specified by the snapshot length
177 written to the output file.
178
179 This may be useful if the program that is to read the output file
180 cannot handle packets larger than a certain size (for example, the
181 versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject
182 Ethernet packets larger than the standard Ethernet MTU, making them
183 incapable of handling gigabit Ethernet captures if jumbo packets
184 were used).
185
186 --seed <seed>
187 When used in conjunction with -E, set the seed for the pseudo-
188 random number generator. This is useful for recreating a
189 particular sequence of errors.
190
191 --skip-radiotap-header
192 Skip the readiotap header of each frame when checking for packet
193 duplicates. This is useful when processing a caputure created by
194 combining outputs of multiple capture devices on the same channel
195 in the vicinity of each other.
196
197 -S <strict time adjustment>
198 Time adjust selected packets to ensure strict chronological order.
199
200 The <strict time adjustment> value represents relative seconds
201 specified as [-]seconds[.fractional seconds].
202
203 As the capture file is processed each packet's absolute time is
204 possibly adjusted to be equal to or greater than the previous
205 packet's absolute timestamp depending on the <strict time
206 adjustment> value.
207
208 If <strict time adjustment> value is 0 or greater (e.g. 0.000001)
209 then only packets with a timestamp less than the previous packet
210 will adjusted. The adjusted timestamp value will be set to be
211 equal to the timestamp value of the previous packet plus the value
212 of the <strict time adjustment> value. A <strict time adjustment>
213 value of 0 will adjust the minimum number of timestamp values
214 necessary to ensure that the resulting capture file is in strict
215 chronological order.
216
217 If <strict time adjustment> value is specified as a negative value,
218 then the timestamp values of all packets will be adjusted to be
219 equal to the timestamp value of the previous packet plus the
220 absolute value of the <lt>strict time adjustment<gt> value. A
221 <strict time adjustment> value of -0 will result in all packets
222 having the timestamp value of the first packet.
223
224 This feature is useful when the trace file has an occasional packet
225 with a negative delta time relative to the previous packet.
226
227 -t <time adjustment>
228 Sets the time adjustment to use on selected packets. If the -t
229 flag is used to specify a time adjustment, the specified adjustment
230 will be applied to all selected packets in the capture file. The
231 adjustment is specified as [-]seconds[.fractional seconds]. For
232 example, -t 3600 advances the timestamp on selected packets by one
233 hour while -t -0.5 reduces the timestamp on selected packets by
234 one-half second.
235
236 This feature is useful when synchronizing dumps collected on
237 different machines where the time difference between the two
238 machines is known or can be estimated.
239
240 -T <encapsulation type>
241 Sets the packet encapsulation type of the output capture file. If
242 the -T flag is used to specify an encapsulation type, the
243 encapsulation type of the output capture file will be forced to the
244 specified type. editcap -T provides a list of the available types.
245 The default type is the one appropriate to the encapsulation type
246 of the input capture file.
247
248 Note: this merely forces the encapsulation type of the output file
249 to be the specified type; the packet headers of the packets will
250 not be translated from the encapsulation type of the input capture
251 file to the specified encapsulation type (for example, it will not
252 translate an Ethernet capture to an FDDI capture if an Ethernet
253 capture is read and '-T fddi' is specified). If you need to
254 remove/add headers from/to a packet, you will need
255 od(1)/text2pcap(1).
256
257 -v Causes editcap to print verbose messages while it's working.
258
259 Use of -v with the de-duplication switches of -d, -D or -w will
260 cause all MD5 hashes to be printed whether the packet is skipped or
261 not.
262
263 -V Print the version and exit.
264
265 -w <dup time window>
266 Attempts to remove duplicate packets. The current packet's arrival
267 time is compared with up to 1000000 previous packets. If the
268 packet's relative arrival time is less than or equal to the <dup
269 time window> of a previous packet and the packet length and MD5
270 hash of the current packet are the same then the packet to skipped.
271 The duplicate comparison test stops when the current packet's
272 relative arrival time is greater than <dup time window>.
273
274 The <dup time window> is specified as seconds[.fractional seconds].
275
276 The [.fractional seconds] component can be specified to nine (9)
277 decimal places (billionths of a second) but most typical trace
278 files have resolution to six (6) decimal places (millionths of a
279 second).
280
281 NOTE: Specifying large <dup time window> values with large
282 tracefiles can result in very long processing times for editcap.
283
284 NOTE: The -w option assumes that the packets are in chronological
285 order. If the packets are NOT in chronological order then the -w
286 duplication removal option may not identify some duplicates.
287
288 --inject-secrets <secrets type>,<file>
289 Inserts the contents of <file> into a Decryption Secrets Block
290 (DSB) within the pcapng output file. This enables decryption
291 without requiring additional configuration in protocol preferences.
292
293 The file format is described by <secrets type> which can be one of:
294
295 tls TLS Key Log as described at
296 <https://developer.mozilla.org/NSS_Key_Log_Format>
297
298 This option may be specified multiple times. The available options
299 for <secrets type> can be listed with --inject-secrets help.
300
301 --discard-all-secrets
302 Discard all decryption secrets from the input file when writing the
303 output file. Does not discard secrets added by --inject-secrets in
304 the same command line.
305
307 To see more detailed description of the options use:
308
309 editcap -h
310
311 To shrink the capture file by truncating the packets at 64 bytes and
312 writing it as Sun snoop file use:
313
314 editcap -s 64 -F snoop capture.pcapng shortcapture.snoop
315
316 To delete packet 1000 from the capture file use:
317
318 editcap capture.pcapng sans1000.pcapng 1000
319
320 To limit a capture file to packets from number 200 to 750 (inclusive)
321 use:
322
323 editcap -r capture.pcapng small.pcapng 200-750
324
325 To get all packets from number 1-500 (inclusive) use:
326
327 editcap -r capture.pcapng first500.pcapng 1-500
328
329 or
330
331 editcap capture.pcapng first500.pcapng 501-9999999
332
333 To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
334
335 editcap capture.pcapng exclude.pcapng 1 5 10-20 30-40
336
337 To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file
338 use:
339
340 editcap -r capture.pcapng select.pcapng 1 5 10-20 30-40
341
342 To remove duplicate packets seen within the prior four frames use:
343
344 editcap -d capture.pcapng dedup.pcapng
345
346 To remove duplicate packets seen within the prior four frames while
347 skipping radiotap headers use:
348
349 editcap -d --skip-radiotap-header capture.pcapng dedup.pcapng
350
351 To remove duplicate packets seen within the prior 100 frames use:
352
353 editcap -D 101 capture.pcapng dedup.pcapng
354
355 To remove duplicate packets seen equal to or less than 1/10th of a
356 second:
357
358 editcap -w 0.1 capture.pcapng dedup.pcapng
359
360 To display the MD5 hash for all of the packets (and NOT generate any
361 real output file):
362
363 editcap -v -D 0 capture.pcapng /dev/null
364
365 or on Windows systems
366
367 editcap -v -D 0 capture.pcapng NUL
368
369 To advance the timestamps of each packet forward by 3.0827 seconds:
370
371 editcap -t 3.0827 capture.pcapng adjusted.pcapng
372
373 To ensure all timestamps are in strict chronological order:
374
375 editcap -S 0 capture.pcapng adjusted.pcapng
376
377 To introduce 5% random errors in a capture file use:
378
379 editcap -E 0.05 capture.pcapng capture_error.pcapng
380
381 To remove vlan tags from all packets within an Ethernet-encapsulated
382 capture file, use:
383
384 editcap -L -C 12:4 capture_vlan.pcapng capture_no_vlan.pcapng
385
386 To chop both the 10 byte and 20 byte regions from the following 75 byte
387 packet in a single pass, use any of the 8 possible methods provided
388 below:
389
390 <--------------------------- 75 ---------------------------->
391
392 +---+-------+-----------+---------------+-------------------+
393 | 5 | 10 | 15 | 20 | 25 |
394 +---+-------+-----------+---------------+-------------------+
395
396 1) editcap -C 5:10 -C -25:-20 capture.pcapng chopped.pcapng
397 2) editcap -C 5:10 -C 50:-20 capture.pcapng chopped.pcapng
398 3) editcap -C -70:10 -C -25:-20 capture.pcapng chopped.pcapng
399 4) editcap -C -70:10 -C 50:-20 capture.pcapng chopped.pcapng
400 5) editcap -C 30:20 -C -60:-10 capture.pcapng chopped.pcapng
401 6) editcap -C 30:20 -C 15:-10 capture.pcapng chopped.pcapng
402 7) editcap -C -45:20 -C -60:-10 capture.pcapng chopped.pcapng
403 8) editcap -C -45:20 -C 15:-10 capture.pcapng chopped.pcapng
404
405 To add comment strings to the first 2 input frames, use:
406
407 editcap -a "1:1st frame" -a 2:Second capture.pcapng capture-comments.pcapng
408
410 pcap(3), wireshark(1), tshark(1), mergecap(1), dumpcap(1), capinfos(1),
411 text2pcap(1), od(1), pcap-filter(7) or tcpdump(8)
412
414 Editcap is part of the Wireshark distribution. The latest version of
415 Wireshark can be found at <https://www.wireshark.org>.
416
417 HTML versions of the Wireshark project man pages are available at:
418 <https://www.wireshark.org/docs/man-pages>.
419
421 Original Author
422 -------- ------
423 Richard Sharpe <sharpe[AT]ns.aus.com>
424
425
426 Contributors
427 ------------
428 Guy Harris <guy[AT]alum.mit.edu>
429 Ulf Lamping <ulf.lamping[AT]web.de>
430
431
432
4333.0.1 2019-04-08 EDITCAP(1)