Wireshark CLI | Editcap 篇

简介

Editcap 是 Wireshark 程序安装时附带的可选工具之一,用于编辑数据包文件的命令行工具。

editcap [ -a <frame:comment> ] [ -A <start time> ] [ -B <stop time> ] [ -c <packets per file> ] [ -C [offset:]<choplen> ] [ -E <error probability> ] [ -F <file format> ] [ -i <seconds per file> ] [ -o <change offset> ] [ -L ] [ -r ] [ -s <snaplen> ] [ -S <strict time adjustment> ] [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -V ] [ --inject-secrets <secrets type>,<file> ] [ --discard-all-secrets ] [ --capture-comment <comment> ] [ --discard-capture-comment ] infile outfile [ packet#[-packet#] … ]

editcap -d -D <dup window> -w <dup time window> [ -V ] [ -I <bytes to ignore> ] [ --skip-radiotap-header ] infile outfile

editcap -h|--help

editcap -v|--version

Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)


描述

Editcap 是一个从文件读取部分或所有捕获数据包的程序,可选地以各种方式转换它们,并将结果数据包写入输出文件。缺省情况下,它从输入文件中读取所有数据包,并以 pcapng 文件格式写进输出文件。

Editcap 的几个常见功能:

  • 可以按时间、长度等截取数据包。
  • 可以用来删除重复的数据包,可用来控制用于重复比较的包窗口或相对时间窗口。
  • 可以用来编辑数据帧的描述。
  • 可以检测、读取和写入 Wireshark 支持的相同捕获文件。
  • 可以用几种输出格式编写文件。

选项

$ editcap

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only read packets whose timestamp is after (or equal
                         to) the given time.
  -B <stop time>         only read packets whose timestamp is before the
                         given time.
                         Time format for -A/-B options is
                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
                         Unix epoch timestamps are also supported.

Duplicate packet removal:
  --novlan               remove vlan info from packets before checking for duplicates.
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>.
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -V (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).
           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -V may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.
  --skip-radiotap-header skip radiotap header when checking for packet duplicates.
                         Useful when processing packets captured by multiple radios
                         on the same channel in the vicinity of each other.

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame (i.e. reported) length when chopping
                         and/or snapping.
  -t <time adjustment>   adjust the timestamp of each packet.
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to ensure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                         a particular packet byte will be randomly changed.
  -o <change offset>     When used in conjunction with -E, skip some bytes from the
                         beginning of the packet. This allows one to preserve some
                         bytes, in order to have some headers untouched.
  --seed <seed>          When used in conjunction with -E, set the seed to use for
                         the pseudo-random number generator. This allows one to
                         repeat a particular sequence of errors.
  -I <bytes to ignore>   ignore the specified number of bytes at the beginning
                         of the frame during MD5 hash calculation, unless the
                         frame is too short, then the full frame is used.
                         Useful to remove duplicated packets taken on
                         several routers (different mac addresses for
                         example).
                         e.g. -I 26 in case of Ether/IP will ignore
                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
  -a <framenum>:<comment> Add or replace comment for given frame number

Output File(s):
  -c <packets per file>  split the packet output to different files based on
                         uniform packet counts with a maximum of
                         <packets per file> each.
  -i <seconds per file>  split the packet output to different files based on
                         uniform time intervals with a maximum of
                         <seconds per file> each.
  -F <capture type>      set the output file type; default is pcapng.
                         An empty "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type; default is the
                         same as the input file. An empty "-T" option will
                         list the encapsulation types.
  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List
                         supported secret types with "--inject-secrets help".
  --discard-all-secrets  Discard all decryption secrets from the input file
                         when writing the output file.  Does not discard
                         secrets added by "--inject-secrets" in the same
                         command line.
  --capture-comment <comment>
                         Add a capture file comment, if supported.
  --discard-capture-comment
                         Discard capture file comments from the input file
                         when writing the output file.  Does not discard
                         comments added by "--capture-comment" in the same
                         command line.

Miscellaneous:
  -h, --help             display this help and exit.
  -V                     verbose output.
                         If -V is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-error.
  -v, --version          print version information and exit.

实例

以下以实例讲解各选项的作用,测试跟踪文件主要信息如下。

$ capinfos test.pcapng
File name:           test.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   20 k
File size:           9213 kB
Data size:           8530 kB
Capture duration:    37.528437 seconds
First packet time:   2021-08-15 21:34:27.791910
Last packet time:    2021-08-15 21:35:05.320347
Data byte rate:      227 kBps
Data bit rate:       1818 kbps
Average packet size: 419.22 bytes
Average packet rate: 542 packets/s
SHA256:              03cdf99c02a73c3a0ada4f857eaffa587fd78d081cc8cd4e0c7b79f1587086fa
RIPEMD160:           78696db33a42825bb42a7c63d0fc6053cc88e851
SHA1:                7c9d9db15cfa4c237c16289862e9b1cde08a760f
Strict time order:   False
Capture hardware:    Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz (with SSE4.2)
Capture oper-sys:    64-bit Windows 10 (1809), build 17763
Capture application: Dumpcap (Wireshark) 3.4.7 (v3.4.7-0-ge42cbf6a415f)
Capture comment:     test
Number of interfaces in file: 1
Interface #0 info:
                     Name = \Device\NPF_{15DAC5F9-EEF5-4A7E-A590-E0968FC225A4}
                     Description = Ethernet0
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 262144
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Time resolution = 0x06
                     Operating system = 64-bit Windows 10 (1809), build 17763
                     Number of stat entries = 1
                     Number of packets = 20348

Packet selection

数据包选取选项,主要包括以下:

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only read packets whose timestamp is after (or equal
                         to) the given time.
  -B <stop time>         only read packets whose timestamp is before the
                         given time.
                         Time format for -A/-B options is
                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
                         Unix epoch timestamps are also supported.


                             
$ editcap -r test.pcapng test1.pcapng 1-10
保留 test.pcapng 中 1#-10# 的数据包,然后保存为 test1.pcapng


$ editcap -r test.pcapng test1.pcapng 10
保留 test.pcapng 中 10# 的数据包,然后保存为 test1.pcapng


$ editcap -A "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间之后的数据包,然后保存为 test1.pcapng


$ editcap -B "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间之前的数据包,然后保存为 test1.pcapng


$ editcap -A "2021-08-15 21:34:30" -B "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间前后的数据包,然后保存为 test1.pcapng

Duplicate packet removal

重复数据包删除选项,主要包括以下:

Duplicate packet removal:
  --novlan               remove vlan info from packets before checking for duplicates.
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>.
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -v (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).
           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -v may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.
  --skip-radiotap-header skip radiotap header when checking for packet duplicates.
                         Useful when processing packets captured by multiple radios
                         on the same channel in the vicinity of each other.



$ editcap --novlan test.pcapng test1.pcapng
跟踪文件实测实际无效果,查询文档或与数据包文件相关,需满足 linux sll + vlan 条件的数据包文件。


$ editcap -d test.pcapng test1.pcapng
2 packets seen, 1 packet skipped with duplicate window of 5 packets.
尝试删除重复的数据包,将当前报文的长度和MD5哈希值与前4个报文进行比较。如果找到匹配,则删除当前报文。这个选项相当于使用选项-D 5。      


$ editcap -d -D 6 test1.pcapng test2.pcapng
6 packets seen, 1 packet skipped with duplicate window of 6 packets.
6个窗口,即将当前报文的长度和MD5哈希值与前5个报文进行比较。


$ editcap -D 0 -V test1.pcapng test2.pcapng
File test1.pcapng is a InfoVista 5View capture capture file.
Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5bacc
Packet: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0cc
Packet: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148
Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9
Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
6 packets seen, 0 packets skipped with duplicate window of 0 packets.
    

$ editcap -w 0.000015 test.pcapng test2.pcapng
6 packets seen, 1 packet skipped with duplicate time window equal to or less than 0.000015000 seconds.
      

$ editcap --skip-radiotap-header
当检查数据包重复时跳过 radiotap 头部。因无合适数据包文件,暂无测试。

Packet manipulation

数据包编辑操作选项,主要包括以下:

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame (i.e. reported) length when chopping
                         and/or snapping.
  -t <time adjustment>   adjust the timestamp of each packet.
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to ensure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                         a particular packet byte will be randomly changed.
  -o <change offset>     When used in conjunction with -E, skip some bytes from the
                         beginning of the packet. This allows one to preserve some
                         bytes, in order to have some headers untouched.
  --seed <seed>          When used in conjunction with -E, set the seed to use for
                         the pseudo-random number generator. This allows one to
                         repeat a particular sequence of errors.
  -I <bytes to ignore>   ignore the specified number of bytes at the beginning
                         of the frame during MD5 hash calculation, unless the
                         frame is too short, then the full frame is used.
                         Useful to remove duplicated packets taken on
                         several routers (different mac addresses for
                         example).
                         e.g. -I 26 in case of Ether/IP will ignore
                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
  -a <framenum>:<comment> Add or replace comment for given frame number




$ editcap -s 60 test.pcapng test1.pcapng
按 60 字节长度截断数据包。


$ editcap -C 12:4 test.pcapng test2.pcapng
删除 vlan 


+---+-------+-----------+---------------+-------------------+
| 5 |   10  |     15    |       20      |         25        |
+---+-------+-----------+---------------+-------------------+
删除 1020 区域字节
$ editcap -C 5:10 -C -25:-20 test1.pcapng test2.pcapng
$ editcap -C 5:10 -C 50:-20 test1.pcapng test2.pcapng
$ editcap -C -70:10 -C -25:-20 test1.pcapng test2.pcapng
$ editcap -C -70:10 -C 50:-20 test1.pcapng test2.pcapng
$ editcap -C 30:20 -C -60:-10 test1.pcapng test2.pcapng
$ editcap -C 30:20 -C 15:-10 test1.pcapng test2.pcapng
$ editcap -C -45:20 -C -60:-10 test1.pcapng test2.pcapng
$ editcap -C -45:20 -C 15:-10 test1.pcapng test2.pcapng


$ editcap -L -C 12:4 test.pcapng test2.pcapng
无 -L 时,-C 删除 4 字节,最终会显示 Frame 长度 112 ,捕获长度 108;有 -L 时,-C 删除 4 字节,最终会显示 Frame 长度 108 ,捕获长度 108 。


$ editcap -t -1 test.pcapng test2.pcapng
每个数据包往前调整1s


$ editcap -S -1 test.pcapng test2.pcapng
每个数据包按 1s 时间顺序递增


$ editcap -E -0.2 test.pcapng test2.pcapng
设置随机改变一个特定数据包字节的概率为 0.2 。此选项用于模糊测试协议解析器。


$ editcap -E -0.2 -o 34 test.pcapng test2.pcapng
跳过数据包开头的 34 字节,设置随机改变一个特定数据包字节的概率为 0.2。


$ editcap -E -0.2 --seed 10 test.pcapng test2.pcapng
设置伪随机数生成器的种子,这允许重复特定的错误序列。


$ editcap -d -I 26 test.pcapng test2.pcapng
20348 packets seen, 11 packets skipped with duplicate window of 5 packets.
在MD5哈希计算时,忽略帧开始的指定字节数,除非该帧太短,否则将使用完整帧。


$ editcap -a 1:"test teset" test.pcapng test2.pcapng
增加或替换指定数据包的注释

Output File(s)

输出文件选项,主要包括以下:

Output File(s):
  -c <packets per file>  split the packet output to different files based on
                         uniform packet counts with a maximum of
                         <packets per file> each.
  -i <seconds per file>  split the packet output to different files based on
                         uniform time intervals with a maximum of
                         <seconds per file> each.
  -F <capture type>      set the output file type; default is pcapng.
                         An empty "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type; default is the
                         same as the input file. An empty "-T" option will
                         list the encapsulation types.
  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List
                         supported secret types with "--inject-secrets help".
  --discard-all-secrets  Discard all decryption secrets from the input file
                         when writing the output file.  Does not discard
                         secrets added by "--inject-secrets" in the same
                         command line.
  --capture-comment <comment>
                         Add a capture file comment, if supported.
  --discard-capture-comment
                         Discard capture file comments from the input file
                         when writing the output file.  Does not discard
                         comments added by "--capture-comment" in the same
                         command line.


                            
$ editcap -c 4 icmp.pcapng icmp1.pcapng
每 4 个包分成一个文件,从00000开始,然后是它的第一个包的时间戳。如果输入文件不包含时间戳信息,则省略时间戳。
譬如 icmp.pcapng 中一共 16 个数据包,分割成了 icmp1_00000_20210704113248.pcapng、icmp1_00001_20210704113249.pcapng、icmp1_00002_20210704113250.pcapng、icmp1_00003_20210704113251.pcapng 4个文件。


$ editcap -i 1 icmp.pcapng icmp1.pcapng
根据统一的时间间隔将数据包输出分割到不同的文件,每个文件的最大间隔为 1 秒。允许使用浮点值(例如0.5)。


$ editcap -F
editcap: The available capture file types for the "-F" flag are:
    pcap - Wireshark/tcpdump/... - pcap
    pcapng - Wireshark/... - pcapng
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview-ncf - TamoSoft CommView NCF
    commview-ncfx - TamoSoft CommView NCFX
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    logcat - Android Logcat Binary format
    logcat-brief - Android Logcat Brief text format
    logcat-long - Android Logcat Long text format
    logcat-process - Android Logcat Process text format
    logcat-tag - Android Logcat Tag text format
    logcat-thread - Android Logcat Thread text format
    logcat-threadtime - Android Logcat Threadtime text format
    logcat-time - Android Logcat Time text format
    modpcap - Modified tcpdump - pcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - Sniffer (DOS)
    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
    ngwsniffer_2_0 - Sniffer (Windows) 2.00x
    nokiapcap - Nokia tcpdump - pcap
    nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    nstrace30 - NetScaler Trace (Version 3.0)
    nstrace35 - NetScaler Trace (Version 3.5)
    observer - Viavi Observer
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1pcap - RedHat 6.1 tcpdump - pcap
    snoop - Sun snoop
    suse6_3pcap - SuSE 6.3 tcpdump - pcap
    visual - Visual Networks traffic capture
    
$ editcap -F pcap
设置输出捕获文件的文件格式。缺省为pcapng格式。



$ editcap -T
editcap: The available encapsulation types for the "-T" flag are:
    ap1394 - Apple IP-over-IEEE 1394
    arcnet - ARCNET
    arcnet_linux - Linux ARCNET
    ascend - Lucent/Ascend access equipment
    atm-pdus - ATM PDUs
    atm-pdus-untruncated - ATM PDUs - untruncated
    atm-rfc1483 - RFC 1483 ATM
    ax25 - Amateur Radio AX.25
    ax25-kiss - AX.25 with KISS header
    bacnet-ms-tp - BACnet MS/TP
    bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
    ber - ASN.1 Basic Encoding Rules
    bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF
    bluetooth-h4 - Bluetooth H4
    bluetooth-h4-linux - Bluetooth H4 with linux header
    bluetooth-hci - Bluetooth without transport layer
    bluetooth-le-ll - Bluetooth Low Energy Link Layer
    bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF
    bluetooth-linux-monitor - Bluetooth Linux Monitor
    can20b - Controller Area Network 2.0B
    chdlc - Cisco HDLC
    chdlc-with-direction - Cisco HDLC with Directional Info
    cosine - CoSine L2 debug log
    dbus - D-Bus
    dct2000 - Catapult DCT2000
    docsis - Data Over Cable Service Interface Specification
    docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header
    dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header
    dpnss_link - Digital Private Signalling System No 1 Link Layer
    dvbci - DVB-CI (Common Interface)
    ebhscr - Elektrobit High Speed Capture and Replay
    enc - OpenBSD enc(4) encapsulating interface
    epon - Ethernet Passive Optical Network
    erf - Extensible Record Format
    eri_enb_log - Ericsson eNode-B raw log
    ether - Ethernet
    ether-mpacket - IEEE 802.3br mPackets
    ether-nettl - Ethernet with nettl headers
    etw - Event Tracing for Windows messages
    fc2 - Fibre Channel FC-2
    fc2sof - Fibre Channel FC-2 With Frame Delimiter
    fddi - FDDI
    fddi-nettl - FDDI with nettl headers
    fddi-swapped - FDDI with bit-swapped MAC addresses
    flexray - FlexRay
    frelay - Frame Relay
    frelay-with-direction - Frame Relay with Directional Info
    gcom-serial - GCOM Serial
    gcom-tie1 - GCOM TIE1
    gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode
    gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode
    gprs-llc - GPRS LLC
    gsm_um - GSM Um Interface
    hhdlc - HiPath HDLC
    i2c-linux - I2C with Linux-specific pseudo-header
    ieee-802-11 - IEEE 802.11 Wireless LAN
    ieee-802-11-avs - IEEE 802.11 plus AVS radio header
    ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
    ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
    ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
    ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
    infiniband - InfiniBand
    ios - Cisco IOS internal
    ip-ib - IP over IB
    ip-over-fc - RFC 2625 IP-over-Fibre Channel
    ip-over-ib - IP over InfiniBand
    ipfix - RFC 5655/RFC 5101 IPFIX
    ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header
    ipmi-trace - IPMI Trace Data Collection
    ipnet - Solaris IPNET
    irda - IrDA
    isdn - ISDN
    iso14443 - ISO 14443 contactless smartcard standards
    ixveriwave - IxVeriWave header and stats block
    jfif - JPEG/JFIF
    json - JavaScript Object Notation
    juniper-atm1 - Juniper ATM1
    juniper-atm2 - Juniper ATM2
    juniper-chdlc - Juniper C-HDLC
    juniper-ether - Juniper Ethernet
    juniper-frelay - Juniper Frame-Relay
    juniper-ggsn - Juniper GGSN
    juniper-mlfr - Juniper MLFR
    juniper-mlppp - Juniper MLPPP
    juniper-ppp - Juniper PPP
    juniper-pppoe - Juniper PPPoE
    juniper-st - Juniper Secure Tunnel Information
    juniper-svcs - Juniper Services
    juniper-vn - Juniper VN
    juniper-vp - Juniper Voice PIC
    k12 - K12 protocol analyzer
    lapb - LAPB
    lapd - LAPD
    layer1-event - EyeSDN Layer 1 event
    lin - Local Interconnect Network
    linux-atm-clip - Linux ATM CLIP
    linux-lapd - LAPD with Linux pseudo-header
    linux-sll - Linux cooked-mode capture v1
    linux-sll2 - Linux cooked-mode capture v2
    log_3GPP - 3GPP Phone Log
    logcat - Android Logcat Binary format
    logcat_brief - Android Logcat Brief text format
    logcat_long - Android Logcat Long text format
    logcat_process - Android Logcat Process text format
    logcat_tag - Android Logcat Tag text format
    logcat_thread - Android Logcat Thread text format
    logcat_threadtime - Android Logcat Threadtime text format
    logcat_time - Android Logcat Time text format
    loop - OpenBSD loopback
    loratap - LoRaTap
    ltalk - Localtalk
    message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4
    message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6
    message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4
    message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6
    message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4
    message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6
    mime - MIME
    most - Media Oriented Systems Transport
    mp2ts - ISO/IEC 13818-1 MPEG2-TS
    mp4 - MP4 files
    mpeg - MPEG
    mtp2 - SS7 MTP2
    mtp2-with-phdr - MTP2 with pseudoheader
    mtp3 - SS7 MTP3
    mux27010 - MUX27010
    netanalyzer - Hilscher netANALYZER
    netanalyzer-transparent - Hilscher netANALYZER-Transparent
    netlink - Linux Netlink
    netmon_event - Network Monitor Network Event
    netmon_filter - Network Monitor Filter
    netmon_header - Network Monitor Header
    netmon_network_info - Network Monitor Network Info
    nfc-llcp - NFC LLCP
    nflog - NFLOG
    nordic_ble - nRF Sniffer for Bluetooth LE
    nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
    nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
    nstrace30 - NetScaler Encapsulation 3.0 of Ethernet
    nstrace35 - NetScaler Encapsulation 3.5 of Ethernet
    null - NULL/Loopback
    packetlogger - Apple Bluetooth PacketLogger
    pflog - OpenBSD PF Firewall logs
    pflog-old - OpenBSD PF Firewall logs, pre-3.4
    pktap - Apple PKTAP
    ppi - Per-Packet Information header
    ppp - PPP
    ppp-with-direction - PPP with Directional Info
    pppoes - PPP-over-Ethernet session
    raw-icmp-nettl - Raw ICMP with nettl headers
    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
    raw-telnet-nettl - Raw telnet with nettl headers
    rawip - Raw IP
    rawip-nettl - Raw IP with nettl headers
    rawip4 - Raw IPv4
    rawip6 - Raw IPv6
    redback - Redback SmartEdge
    rfc7468 - RFC 7468 file
    rtac-serial - RTAC serial-line
    ruby_marshal - Ruby marshal object
    s4607 - STANAG 4607
    s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)
    sccp - SS7 SCCP
    sctp - SCTP
    sdh - SDH
    sdjournal - systemd journal
    sdlc - SDLC
    sita-wan - SITA WAN packets
    slip - SLIP
    socketcan - SocketCAN
    symantec - Symantec Enterprise Firewall
    tnef - Transport-Neutral Encapsulation Format
    tr - Token Ring
    tr-nettl - Token Ring with nettl headers
    tzsp - Tazmen sniffer protocol
    unknown - Unknown
    unknown-nettl - Unknown link-layer type with nettl headers
    usb-20 - USB 2.0/1.1/1.0 packets
    usb-darwin - USB packets with Darwin (macOS, etc.) headers
    usb-freebsd - USB packets with FreeBSD header
    usb-linux - USB packets with Linux header
    usb-linux-mmap - USB packets with Linux header and padding
    usb-usbpcap - USB packets with USBPcap header
    user0 - USER 0
    user1 - USER 1
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    v5-ef - V5 Envelope Function
    vpp - Vector Packet Processing graph dispatch trace
    vsock - Linux vsock
    whdlc - Wellfleet HDLC
    wireshark-upper-pdu - Wireshark Upper PDU export
    wpan - IEEE 802.15.4 Wireless PAN
    wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
    wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
    wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header
    x2e-serial - X2E serial line capture
    x2e-xoraya - X2E Xoraya
    x25-nettl - X.25 with nettl headers
    xeth - Xerox 3MB Ethernet
    zwave-serial - Z-Wave Serial API packets

$ editcap -T linux-sll
设置输出捕获文件的包封装类型。如果 -T 用于指定封装类型,输出捕获文件的封装类型将被强制为指定类型。默认类型适合于输入捕获文件的封装类型。


$ editcap --inject-secrets <secrets type>,<file>
$ editcap --inject-secrets help
    tls
    wg
$ editcap --inject-secrets tls,tls.log test.pcapng test1.pcapng
将tls密钥加进test.pcapng中的 Decryption Secrets Block (DSB),输出test1.pcapng


$ editcap --discard-all-secrets test1.pcapng test.pcapng
当写入输出文件时,丢弃输入文件中的所有解密密钥。


$ editcap --capture-comment "test test" test.pcapng test1.pcapng
将给定的注释添加到输出文件中,如果输出文件格式支持的话,将在输入文件中出现的任何注释之后添加新的注释。此选项可以指定多次。注意,Wireshark 目前只显示捕获文件的第一个注释。


$ editcap --discard-capture-comment test1.pcapng test.pcapng
丢弃来自输入文件的所有捕获文件注释。

Miscellaneous

杂项选项,主要包括以下:

Miscellaneous:
  -h, --help             display this help and exit.
  -V                     verbose output.
                         If -V is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-error.
  -v, --version          print version information and exit.



$ editcap -h
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Edit and/or translate the format of capture files.
See https://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only read packets whose timestamp is after (or equal
                         to) the given time.
  -B <stop time>         only read packets whose timestamp is before the
                         given time.
                         Time format for -A/-B options is
                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
                         Unix epoch timestamps are also supported.

Duplicate packet removal:
  --novlan               remove vlan info from packets before checking for duplicates.
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>.
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -V (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).
           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -V may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.
  --skip-radiotap-header skip radiotap header when checking for packet duplicates.
                         Useful when processing packets captured by multiple radios
                         on the same channel in the vicinity of each other.

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame (i.e. reported) length when chopping
                         and/or snapping.
  -t <time adjustment>   adjust the timestamp of each packet.
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to ensure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                         a particular packet byte will be randomly changed.
  -o <change offset>     When used in conjunction with -E, skip some bytes from the
                         beginning of the packet. This allows one to preserve some
                         bytes, in order to have some headers untouched.
  --seed <seed>          When used in conjunction with -E, set the seed to use for
                         the pseudo-random number generator. This allows one to
                         repeat a particular sequence of errors.
  -I <bytes to ignore>   ignore the specified number of bytes at the beginning
                         of the frame during MD5 hash calculation, unless the
                         frame is too short, then the full frame is used.
                         Useful to remove duplicated packets taken on
                         several routers (different mac addresses for
                         example).
                         e.g. -I 26 in case of Ether/IP will ignore
                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
  -a <framenum>:<comment> Add or replace comment for given frame number

Output File(s):
  -c <packets per file>  split the packet output to different files based on
                         uniform packet counts with a maximum of
                         <packets per file> each.
  -i <seconds per file>  split the packet output to different files based on
                         uniform time intervals with a maximum of
                         <seconds per file> each.
  -F <capture type>      set the output file type; default is pcapng.
                         An empty "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type; default is the
                         same as the input file. An empty "-T" option will
                         list the encapsulation types.
  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List
                         supported secret types with "--inject-secrets help".
  --discard-all-secrets  Discard all decryption secrets from the input file
                         when writing the output file.  Does not discard
                         secrets added by "--inject-secrets" in the same
                         command line.
  --capture-comment <comment>
                         Add a capture file comment, if supported.
  --discard-capture-comment
                         Discard capture file comments from the input file
                         when writing the output file.  Does not discard
                         comments added by "--capture-comment" in the same
                         command line.

Miscellaneous:
  -h, --help             display this help and exit.
  -V                     verbose output.
                         If -V is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-error.
  -v, --version          print version information and exit.


      
$ editcap -rV test.pcapng test1.pcapng 1
File test.pcapng is a InfoVista 5View capture capture file.
Add_Selected: 1
Not inclusive ... 1
Packet: 1

$ editcap -dV test.pcapng test1.pcapng
File test.pcapng is a InfoVista 5View capture capture file.
Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5bacc
Packet: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0cc
Packet: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148
Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9
Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
6 packets seen, 0 packets skipped with duplicate window of 5 packets.
    


$ editcap -v
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b).

Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.

Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib
2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported. 

你可能感兴趣的:(NetShark,wireshark,网络,tcp/ip,网络协议,tcpdump)