Wireshark - 1.0 Betriebsanweisung
D.6. editcap: Edit capture files
Included with Wireshark is a small utility called editcap, which is a command-line utility for work-
ing with capture files. Its main function is to remove packets from capture files, but it can also be
used to convert capture files from one format to another, as well as to print information about cap-
ture files.
ing with capture files. Its main function is to remove packets from capture files, but it can also be
used to convert capture files from one format to another, as well as to print information about cap-
ture files.
Example D.3. Help information available from editcap
$ editcap -h
Editcap 0.99.6
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.
Editcap 0.99.6
Edit and/or translate the format of capture files.
See http://www.wireshark.org for more information.
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
A single packet or a range of packets can be selected.
Packets:
-C <choplen>
chop each packet at the end by <choplen> bytes
-d
remove duplicate packets
-E <error probability> set the probability (between 0.0 and 1.0 incl.)
that a particular packet byte will be randomly changed
-r
keep the selected packets, default is to delete them
-s <snaplen>
truncate packets to max. <snaplen> bytes of data
-t <time adjustment>
adjust the timestamp of selected packets,
<time adjustment> is in relative seconds (e.g. -0.5)
<time adjustment> is in relative seconds (e.g. -0.5)
-A <start time>
don't output packets whose timestamp is before the
given time (format as YYYY-MM-DD hh:mm:ss)
given time (format as YYYY-MM-DD hh:mm:ss)
-B <stop time>
don't output packets whose timestamp is after the
given time (format as YYYY-MM-DD hh:mm:ss)
given time (format as YYYY-MM-DD hh:mm:ss)
Output File(s):
-c <packets per file>
split the packet output to different files,
with a maximum of <packets per file> each
with a maximum of <packets per file> each
-F <capture type>
set the output file type, default is libpcap
an empty "-F" option will list the file types
an empty "-F" option will list the file types
-T <encap type>
set the output file encapsulation type,
default is the same as the input file
an empty "-T" option will list the encapsulation types
default is the same as the input file
an empty "-T" option will list the encapsulation types
Miscellaneous:
-h
display this help and exit
-v
verbose output
$ editcap -F
editcap: option requires an argument -- F
editcap: The available capture file types for "F":
editcap: option requires an argument -- F
editcap: The available capture file types for "F":
libpcap - Wireshark/tcpdump/... - libpcap
nseclibpcap - Wireshark - nanosecond libpcap
modlibpcap - Modified tcpdump - libpcap
nokialibpcap - Nokia tcpdump - libpcap
rh6_1libpcap - Red Hat 6.1 tcpdump - libpcap
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
5views - Accellent 5Views capture
dct2000 - Catapult DCT2000 trace (.out format)
nettl - HP-UX nettl trace
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
ngsniffer - NA Sniffer (DOS)
ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
niobserverv9 - Network Instruments Observer (V9)
lanalyzer - Novell LANalyzer
snoop - Sun snoop
rf5 - Tektronix K12xx 32-bit .rf5 format
visual - Visual Networks traffic capture
nseclibpcap - Wireshark - nanosecond libpcap
modlibpcap - Modified tcpdump - libpcap
nokialibpcap - Nokia tcpdump - libpcap
rh6_1libpcap - Red Hat 6.1 tcpdump - libpcap
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
5views - Accellent 5Views capture
dct2000 - Catapult DCT2000 trace (.out format)
nettl - HP-UX nettl trace
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
ngsniffer - NA Sniffer (DOS)
ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
niobserverv9 - Network Instruments Observer (V9)
lanalyzer - Novell LANalyzer
snoop - Sun snoop
rf5 - Tektronix K12xx 32-bit .rf5 format
visual - Visual Networks traffic capture
$ editcap -T
editcap: option requires an argument -- T
editcap: The available encapsulation types for "T":
editcap: option requires an argument -- T
editcap: The available encapsulation types for "T":
ether - Ethernet
tr - Token Ring
slip - SLIP
ppp - PPP
fddi - FDDI
fddi-swapped - FDDI with bit-swapped MAC addresses
tr - Token Ring
slip - SLIP
ppp - PPP
fddi - FDDI
fddi-swapped - FDDI with bit-swapped MAC addresses
Related command line tools
252