1EDITCAP(1) EDITCAP(1)
2
6 editcap - Edit and/or translate the format of capture files
7
9 editcap [ -a <frame:comment> ] [ -A <start time> ] [ -B <stop time> ]
10 [ -c <packets per file> ] [ -C [offset:]<choplen> ]
11 [ -E <error probability> ] [ -F <file format> ] [ -h ]
12 [ -i <seconds per file> ] [ -o <change offset> ] [ -L ] [ -r ]
13 [ -s <snaplen> ] [ -S <strict time adjustment> ]
14 [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -v ]
15 [ --inject-secrets <secrets type>,<file> ] [ --discard-all-secrets ]
16 [ --capture-comment <comment> ] [ --discard-capture-comment ] infile
17 outfile [ packet#[-packet#] ... ]
18 editcap -d -D <dup window> -w <dup time window> [ -v ]
20 [ -I <bytes to ignore> ] [ --skip-radiotap-header ] infile outfile
21 editcap [ -V ]
23
25 Editcap is a program that reads some or all of the captured packets
26 from the infile, optionally converts them in various ways and writes
27 the resulting packets to the capture outfile (or outfiles).
28 By default, it reads all packets from the infile and writes them to the
30 outfile in pcapng file format.
31 The -A and -B option allow you to limit the time range from which
33 packets are read from the infile.
34 An optional list of packet numbers can be specified on the command
36 tail; individual packet numbers separated by whitespace and/or ranges
37 of packet numbers can be specified as start-end, referring to all
38 packets from start to end. By default the selected packets with those
39 numbers will not be written to the capture file. If the -r flag is
40 specified, the whole packet selection is reversed; in that case only
41 the selected packets will be written to the capture file.
42 Editcap can also be used to remove duplicate packets. Several different
44 options (-d, -D and -w) are used to control the packet window or
45 relative time window to be used for duplicate comparison.
46 Editcap can be used to assign comment strings to frame numbers.
48 Editcap is able to detect, read and write the same capture files that
50 are supported by Wireshark. The input file doesn’t need a specific
51 filename extension; the file format and an optional gzip, zstd or lz4
52 compression will be automatically detected. Near the beginning of the
53 DESCRIPTION section of wireshark(1) or
54 https://www.wireshark.org/docs/man-pages/wireshark.html is a detailed
55 description of the way Wireshark handles this, which is the same way
56 Editcap handles this.
57 Editcap can write the file in several output formats. The -F flag can
59 be used to specify the format in which to write the capture file;
60 editcap -F provides a list of the available output formats.
61
63 -a <framenum:comment>
64 For the specified frame number, assign the given comment string.
66 Can be repeated for multiple frames. Quotes should be used with
67 comment strings that include spaces.
68 -A <start time>
70 Reads only the packets whose timestamp is on or after start time.
72 The time is given in ISO 8601 format, either YYYY-MM-DD
73 HH:MM:SS[.nnnnnnnnn][Z|±hh:mm] or
74 YYYY-MM-DDTHH:MM:SS[.nnnnnnnnn][Z|±hh:mm] . The fractional seconds
75 are optional, as is the time zone offset from UTC (in which case
76 local time is assumed). Unix epoch timestamps (floating point
77 format) are also accepted.
78 -B <stop time>
80 Reads only the packets whose timestamp is before stop time. The
82 time is given in ISO 8601 format, either YYYY-MM-DD
83 HH:MM:SS[.nnnnnnnnn][Z|±hh:mm] or
84 YYYY-MM-DDTHH:MM:SS[.nnnnnnnnn][Z|±hh:mm] . The fractional seconds
85 are optional, as is the time zone offset from UTC (in which case
86 local time is assumed). Unix epoch timestamps (floating point
87 format) are also accepted.
88 -c <packets per file>
90 Splits the packet output to different files based on uniform packet
92 counts with a maximum of <packets per file> each.
93 Each output file will be created with an infix
95 _nnnnn[_YYYYmmddHHMMSS] inserted before the file extension (which
96 may be null) of outfile. The infix consists of the ordinal number
97 of the output file, starting with 00000, followed by the timestamp
98 of its first packet. The timestamp is omitted if the input file
99 does not contain timestamp information.
100 After the specified number of packets is written to the output
102 file, the next output file is opened. The default is to use a
103 single output file. This option conflicts with -i.
104 -C [offset:]<choplen>
106 Sets the chop length to use when writing the packet data. Each
108 packet is chopped by <choplen> bytes of data. Positive values chop
109 at the packet beginning while negative values chop at the packet
110 end.
111 If an optional offset precedes the <choplen>, then the bytes
113 chopped will be offset from that value. Positive offsets are from
114 the packet beginning, while negative offsets are from the packet
115 end.
116 This is useful for chopping headers for decapsulation of an entire
118 capture, removing tunneling headers, or in the rare case that the
119 conversion between two file formats leaves some random bytes at the
120 end of each packet. Another use is for removing vlan tags.
121 Note
123 This option can be used more than once, effectively allowing
124 you to chop bytes from up to two different areas of a packet in
125 a single pass provided that you specify at least one chop
126 length as a positive value and at least one as a negative
127 value. All positive chop lengths are added together as are all
128 negative chop lengths.
129 -d
131 Attempts to remove duplicate packets. The length and MD5 hash of
133 the current packet are compared to the previous four (4) packets.
134 If a match is found, the current packet is skipped. This option is
135 equivalent to using the option -D 5.
136 -D <dup window>
138 Attempts to remove duplicate packets. The length and MD5 hash of
140 the current packet are compared to the previous <dup window> - 1
141 packets. If a match is found, the current packet is skipped.
142 The use of the option -D 0 combined with the -v option is useful in
144 that each packet’s Packet number, Len and MD5 Hash will be printed
145 to standard out. This verbose output (specifically the MD5 hash
146 strings) can be useful in scripts to identify duplicate packets
147 across trace files.
148 The <dup window> is specified as an integer value between 0 and
150 1000000 (inclusive).
151 Note
153 Specifying large <dup window> values with large tracefiles can
154 result in very long processing times for editcap.
155 -E <error probability>
157 Sets the probability that bytes in the output file are randomly
159 changed. Editcap uses that probability (between 0.0 and 1.0
160 inclusive) to apply errors to each data byte in the file. For
161 instance, a probability of 0.02 means that each byte has a 2%
162 chance of having an error.
163 This option is meant to be used for fuzz-testing protocol
165 dissectors.
166 -F <file format>
168 Sets the file format of the output capture file. Editcap can write
170 the file in several formats, editcap -F provides a list of the
171 available output formats. The default is the pcapng format.
172 -h
174 Prints the version and options and exits.
176 -i <seconds per file>
178 Splits the packet output to different files based on uniform time
180 intervals using a maximum interval of <seconds per file> each.
181 Floating point values (e.g. 0.5) are allowed.
182 Each output file will be created with an infix
184 _nnnnn[_YYYYmmddHHMMSS] inserted before the file extension (which
185 may be null) of outfile. The infix consists of the ordinal number
186 of the output file, starting with 00000, followed by the timestamp
187 of its first packet. The timestamp is omitted if the input file
188 does not contain timestamp information.
189 After packets for the specified time interval are written to the
191 output file, the next output file is opened. The default is to use
192 a single output file. This option conflicts with -c.
193 -I <bytes to ignore>
195 Ignore the specified number of bytes at the beginning of the frame
197 during MD5 hash calculation, unless the frame is too short, then
198 the full frame is used. Useful to remove duplicated packets taken
199 on several routers (different mac addresses for example) e.g. -I 26
200 in case of Ether/IP will ignore ether(14) and IP header(20 - 4(src
201 ip) - 4(dst ip)). The default value is 0.
202 -L
204 Adjust the original frame length accordingly when chopping and/or
206 snapping (in addition to the captured length, which is always
207 adjusted regardless of whether -L is specified or not). See also -C
208 <choplen> and -s <snaplen>.
209 -o <change offset>
211 When used in conjunction with -E, skip some bytes from the
213 beginning of the packet from being changed. In this way some
214 headers don’t get changed, and the fuzzer is more focused on a
215 smaller part of the packet. Keeping a part of the packet fixed the
216 same dissector is triggered, that make the fuzzing more precise.
217 -r
219 Reverse the packet selection. Causes the packets whose packet
221 numbers are specified on the command line to be written to the
222 output capture file, instead of discarding them.
223 -s <snaplen>
225 Sets the snapshot length to use when writing the data. If the -s
227 flag is used to specify a snapshot length, packets in the input
228 file with more captured data than the specified snapshot length
229 will have only the amount of data specified by the snapshot length
230 written to the output file.
231 This may be useful if the program that is to read the output file
233 cannot handle packets larger than a certain size (for example, the
234 versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject
235 Ethernet packets larger than the standard Ethernet MTU, making them
236 incapable of handling gigabit Ethernet captures if jumbo packets
237 were used).
238 --seed <seed>
240 When used in conjunction with -E, set the seed for the
242 pseudo-random number generator. This is useful for recreating a
243 particular sequence of errors.
244 --skip-radiotap-header
246 Skip the radiotap header of each frame when checking for packet
248 duplicates. This is useful when processing a capture created by
249 combining outputs of multiple capture devices on the same channel
250 in the vicinity of each other.
251 -S <strict time adjustment>
253 Time adjust selected packets to ensure strict chronological order.
255 The <strict time adjustment> value represents relative seconds
257 specified as seconds[.fractional seconds].
258 As the capture file is processed each packet’s absolute time is
260 possibly adjusted to be equal to or greater than the previous
261 packet’s absolute timestamp depending on the <strict time
262 adjustment> value.
263 If <strict time adjustment> value is 0 or greater (e.g. 0.000001)
265 then only packets with a timestamp less than the previous packet
266 will adjusted. The adjusted timestamp value will be set to be equal
267 to the timestamp value of the previous packet plus the value of the
268 <strict time adjustment> value. A <strict time adjustment> value of
269 0 will adjust the minimum number of timestamp values necessary to
270 ensure that the resulting capture file is in strict chronological
271 order.
272 If <strict time adjustment> value is specified as a negative value,
274 then the timestamp values of all packets will be adjusted to be
275 equal to the timestamp value of the previous packet plus the
276 absolute value of the <strict time adjustment> value. A <strict
277 time adjustment> value of -0 will result in all packets having the
278 timestamp value of the first packet.
279 This feature is useful when the trace file has an occasional packet
281 with a negative delta time relative to the previous packet.
282 -t <time adjustment>
284 Sets the time adjustment to use on selected packets. If the -t flag
286 is used to specify a time adjustment, the specified adjustment will
287 be applied to all selected packets in the capture file. The
288 adjustment is specified as seconds[.fractional seconds]. For
289 example, -t 3600 advances the timestamp on selected packets by one
290 hour while -t -0.5 reduces the timestamp on selected packets by
291 one-half second.
292 This feature is useful when synchronizing dumps collected on
294 different machines where the time difference between the two
295 machines is known or can be estimated.
296 -T <encapsulation type>
298 Sets the packet encapsulation type of the output capture file. If
300 the -T flag is used to specify an encapsulation type, the
301 encapsulation type of the output capture file will be forced to the
302 specified type. editcap -T provides a list of the available types.
303 The default type is the one appropriate to the encapsulation type
304 of the input capture file.
305 Note: this merely forces the encapsulation type of the output file
307 to be the specified type; the packet headers of the packets will
308 not be translated from the encapsulation type of the input capture
309 file to the specified encapsulation type (for example, it will not
310 translate an Ethernet capture to an FDDI capture if an Ethernet
311 capture is read and '-T fddi' is specified). If you need to
312 remove/add headers from/to a packet, you will need
313 od(1)/text2pcap(1).
314 -v
316 Causes editcap to print verbose messages while it’s working.
318 Use of -v with the de-duplication switches of -d, -D or -w will
320 cause all MD5 hashes to be printed whether the packet is skipped or
321 not.
322 -V
324 Print the version and exit.
326 -w <dup time window>
328 Attempts to remove duplicate packets. The current packet’s arrival
330 time is compared with up to 1000000 previous packets. If the
331 packet’s relative arrival time is less than or equal to the <dup
332 time window> of a previous packet and the packet length and MD5
333 hash of the current packet are the same then the packet to skipped.
334 The duplicate comparison test stops when the current packet’s
335 relative arrival time is greater than <dup time window>.
336 The <dup time window> is specified as seconds[.fractional seconds].
338 The [.fractional seconds] component can be specified to nine (9)
340 decimal places (billionths of a second) but most typical trace
341 files have resolution to six (6) decimal places (millionths of a
342 second).
343 Note
345 Specifying large <dup time window> values with large tracefiles
346 can result in very long processing times for editcap.
347 Note
349 The -w option assumes that the packets are in chronological
350 order. If the packets are NOT in chronological order then the
351 -w duplication removal option may not identify some duplicates.
352 --inject-secrets <secrets type>,<file>
354 Inserts the contents of <file> into a Decryption Secrets Block
356 (DSB) within the pcapng output file. This enables decryption
357 without requiring additional configuration in protocol preferences.
358 The file format is described by <secrets type> which can be one of:
360 tls TLS Key Log as described at
362 https://developer.mozilla.org/NSS_Key_Log_Format wg WireGuard Key
363 Log, see
364 https://gitlab.com/wireshark/wireshark/-/wikis/WireGuard#key-log-format
365 This option may be specified multiple times. The available options
367 for <secrets type> can be listed with --inject-secrets help.
368 --discard-all-secrets
370 Discard all decryption secrets from the input file when writing the
372 output file. Does not discard secrets added by --inject-secrets in
373 the same command line.
374 --capture-comment <comment>
376 Adds the given comment to the output file, if supported by the
378 output file format. New comments will be added after any comments
379 present in the input file unless --discard-capture-comment is also
380 specified.
381 This option may be specified multiple times. Note that Wireshark
383 currently only displays the first comment of a capture file.
384 --discard-capture-comment
386 Discard all capture file comments from the input file when writing
388 the output file. Does not discard comments added by
389 --capture-comment in the same command line.
390
392 To see more detailed description of the options use:
393 editcap -h
395 To shrink the capture file by truncating the packets at 64 bytes and
397 writing it as Sun snoop file use:
398 editcap -s 64 -F snoop capture.pcapng shortcapture.snoop
400 To delete packet 1000 from the capture file use:
402 editcap capture.pcapng sans1000.pcapng 1000
404 To limit a capture file to packets from number 200 to 750 (inclusive)
406 use:
407 editcap -r capture.pcapng small.pcapng 200-750
409 To get all packets from number 1-500 (inclusive) use:
411 editcap -r capture.pcapng first500.pcapng 1-500
413 or
415 editcap capture.pcapng first500.pcapng 501-9999999
417 To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
419 editcap capture.pcapng exclude.pcapng 1 5 10-20 30-40
421 To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file
423 use:
424 editcap -r capture.pcapng select.pcapng 1 5 10-20 30-40
426 To remove duplicate packets seen within the prior four frames use:
428 editcap -d capture.pcapng dedup.pcapng
430 To remove duplicate packets seen within the prior four frames while
432 skipping radiotap headers use:
433 editcap -d --skip-radiotap-header capture.pcapng dedup.pcapng
435 To remove duplicate packets seen within the prior 100 frames use:
437 editcap -D 101 capture.pcapng dedup.pcapng
439 To remove duplicate packets seen equal to or less than 1/10th of a
441 second:
442 editcap -w 0.1 capture.pcapng dedup.pcapng
444 To display the MD5 hash for all of the packets (and NOT generate any
446 real output file):
447 editcap -v -D 0 capture.pcapng /dev/null
449 or on Windows systems
451 editcap -v -D 0 capture.pcapng NUL
453 To advance the timestamps of each packet forward by 3.0827 seconds:
455 editcap -t 3.0827 capture.pcapng adjusted.pcapng
457 To ensure all timestamps are in strict chronological order:
459 editcap -S 0 capture.pcapng adjusted.pcapng
461 To introduce 5% random errors in a capture file use:
463 editcap -E 0.05 capture.pcapng capture_error.pcapng
465 To remove vlan tags from all packets within an Ethernet-encapsulated
467 capture file, use:
468 editcap -L -C 12:4 capture_vlan.pcapng capture_no_vlan.pcapng
470 To chop both the 10 byte and 20 byte regions from the following 75 byte
472 packet in a single pass, use any of the 8 possible methods provided
473 below:
474 <--------------------------- 75 ---------------------------->
476 +---+-------+-----------+---------------+-------------------+
478 | 5 | 10 | 15 | 20 | 25 |
479 +---+-------+-----------+---------------+-------------------+
480 1) editcap -C 5:10 -C -25:-20 capture.pcapng chopped.pcapng
482 2) editcap -C 5:10 -C 50:-20 capture.pcapng chopped.pcapng
483 3) editcap -C -70:10 -C -25:-20 capture.pcapng chopped.pcapng
484 4) editcap -C -70:10 -C 50:-20 capture.pcapng chopped.pcapng
485 5) editcap -C 30:20 -C -60:-10 capture.pcapng chopped.pcapng
486 6) editcap -C 30:20 -C 15:-10 capture.pcapng chopped.pcapng
487 7) editcap -C -45:20 -C -60:-10 capture.pcapng chopped.pcapng
488 8) editcap -C -45:20 -C 15:-10 capture.pcapng chopped.pcapng
489 To add comment strings to the first 2 input frames, use:
491 editcap -a "1:1st frame" -a 2:Second capture.pcapng capture-comments.pcapng
493
495 pcap(3), wireshark(1), tshark(1), mergecap(1), dumpcap(1), capinfos(1),
496 text2pcap(1), reordercap(1), od(1), pcap-filter(7) or tcpdump(8)
497
499 This is the manual page for Editcap 3.6.2. Editcap is part of the
500 Wireshark distribution. The latest version of Wireshark can be found at
501 https://www.wireshark.org.
502 HTML versions of the Wireshark project man pages are available at
504 https://www.wireshark.org/docs/man-pages.
505
507 Original Author
508 Richard Sharpe <sharpe[AT]ns.aus.com>
509 Contributors
511 Guy Harris <guy[AT]alum.mit.edu>
512 Ulf Lamping <ulf.lamping[AT]web.de>
513 2022-02-16 EDITCAP(1)