wireshark对重复包进行过滤


工作中收到别人抓的包,但是发现数据包重复了,因为涉及到分析,需要将重复的去掉,在网上搜索了一番,也没有相关的内容。

于是在wireshark的帮助里面,搜索"delete",发现有如下工具:

Usage: editcap [options] ...   [ [-] ... ]

 and  must both be present.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A         only output packets whose timestamp is after (or equal
                         to) the given time (format as YYYY-MM-DD hh:mm:ss).
  -B          only output packets whose timestamp is before the
                         given time (format as YYYY-MM-DD hh:mm:ss).

Duplicate packet removal:
  -d                     remove packet if duplicate (window == 5).
  -D         remove packet if duplicate; configurable 
                         Valid  values are 0 to 1000000.
                         NOTE: A  of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w    remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN  prior to current packet.
                         A  is specified in relative seconds
                         (e.g. 0.000001).

           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -v may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.

Packet manipulation:
  -s            truncate each packet to max.  bytes of data.
  -C            chop each packet by  bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end.
  -t 

可以使用-d来去掉重复的包。

在wireshark的安装目录下,找到有editcap.exe。

因此,使用cmd命令,指定源文件和目标文件,得到了新的文件:

D:\Program Files\Wireshark>editcap -d d:\test.pcap d:\testresult.pcap
66848 packets seen, 27991 packets skipped with duplicate window of 5 packets.







你可能感兴趣的:(工具使用)