Wireshark CLI | Editcap 篇
简介
Editcap 是 Wireshark 程序安装时附带的可选工具之一,用于编辑数据包文件的命令行工具。
editcap [ -a <frame:comment> ] [ -A <start time> ] [ -B <stop time> ] [ -c <packets per file> ] [ -C [offset:]<choplen> ] [ -E <error probability> ] [ -F <file format> ] [ -i <seconds per file> ] [ -o <change offset> ] [ -L ] [ -r ] [ -s <snaplen> ] [ -S <strict time adjustment> ] [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -V ] [ --inject-secrets <secrets type>,<file> ] [ --discard-all-secrets ] [ --capture-comment <comment> ] [ --discard-capture-comment ] infile outfile [ packet#[-packet#] … ]
editcap -d -D <dup window> -w <dup time window> [ -V ] [ -I <bytes to ignore> ] [ --skip-radiotap-header ] infile outfile
editcap -h|--help
editcap -v|--version
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
描述
Editcap 是一个从文件读取部分或所有捕获数据包的程序,可选地以各种方式转换它们,并将结果数据包写入输出文件。缺省情况下,它从输入文件中读取所有数据包,并以 pcapng 文件格式写进输出文件。
Editcap 的几个常见功能:
- 可以按时间、长度等截取数据包。
- 可以用来删除重复的数据包,可用来控制用于重复比较的包窗口或相对时间窗口。
- 可以用来编辑数据帧的描述。
- 可以检测、读取和写入 Wireshark 支持的相同捕获文件。
- 可以用几种输出格式编写文件。
选项
$ editcap
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.
Packet selection:
-r keep the selected packets; default is to delete them.
-A <start time> only read packets whose timestamp is after (or equal
to) the given time.
-B <stop time> only read packets whose timestamp is before the
given time.
Time format for -A/-B options is
YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
Unix epoch timestamps are also supported.
Duplicate packet removal:
--novlan remove vlan info from packets before checking for duplicates.
-d remove packet if duplicate (window == 5).
-D <dup window> remove packet if duplicate; configurable <dup window>.
Valid <dup window> values are 0 to 1000000.
NOTE: A <dup window> of 0 with -V (verbose option) is
useful to print MD5 hashes.
-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
LESS THAN <dup time window> prior to current packet.
A <dup time window> is specified in relative seconds
(e.g. 0.000001).
NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -V may not always work as expected.
Specifically the -r, -t or -S options will very likely NOT have the
desired effect if combined with the -d, -D or -w.
--skip-radiotap-header skip radiotap header when checking for packet duplicates.
Useful when processing packets captured by multiple radios
on the same channel in the vicinity of each other.
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
chop at the packet beginning, negative values at the
packet end. If an optional offset precedes the length,
then the bytes chopped will be offset from that value.
Positive offsets are from the packet beginning,
negative offsets are from the packet end. You can use
this option more than once, allowing up to 2 chopping
regions within a packet provided that at least 1
choplen is positive and at least 1 is negative.
-L adjust the frame (i.e. reported) length when chopping
and/or snapping.
-t <time adjustment> adjust the timestamp of each packet.
<time adjustment> is in relative seconds (e.g. -0.5).
-S <strict adjustment> adjust timestamp of packets if necessary to ensure
strict chronological increasing order. The <strict
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E <error probability> set the probability (between 0.0 and 1.0 incl.) that
a particular packet byte will be randomly changed.
-o <change offset> When used in conjunction with -E, skip some bytes from the
beginning of the packet. This allows one to preserve some
bytes, in order to have some headers untouched.
--seed <seed> When used in conjunction with -E, set the seed to use for
the pseudo-random number generator. This allows one to
repeat a particular sequence of errors.
-I <bytes to ignore> ignore the specified number of bytes at the beginning
of the frame during MD5 hash calculation, unless the
frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on
several routers (different mac addresses for
example).
e.g. -I 26 in case of Ether/IP will ignore
ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
-a <framenum>:<comment> Add or replace comment for given frame number
Output File(s):
-c <packets per file> split the packet output to different files based on
uniform packet counts with a maximum of
<packets per file> each.
-i <seconds per file> split the packet output to different files based on
uniform time intervals with a maximum of
<seconds per file> each.
-F <capture type> set the output file type; default is pcapng.
An empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type; default is the
same as the input file. An empty "-T" option will
list the encapsulation types.
--inject-secrets <type>,<file> Insert decryption secrets from <file>. List
supported secret types with "--inject-secrets help".
--discard-all-secrets Discard all decryption secrets from the input file
when writing the output file. Does not discard
secrets added by "--inject-secrets" in the same
command line.
--capture-comment <comment>
Add a capture file comment, if supported.
--discard-capture-comment
Discard capture file comments from the input file
when writing the output file. Does not discard
comments added by "--capture-comment" in the same
command line.
Miscellaneous:
-h, --help display this help and exit.
-V verbose output.
If -V is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-error.
-v, --version print version information and exit.
实例
以下以实例讲解各选项的作用,测试跟踪文件主要信息如下。
$ capinfos test.pcapng
File name: test.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 20 k
File size: 9213 kB
Data size: 8530 kB
Capture duration: 37.528437 seconds
First packet time: 2021-08-15 21:34:27.791910
Last packet time: 2021-08-15 21:35:05.320347
Data byte rate: 227 kBps
Data bit rate: 1818 kbps
Average packet size: 419.22 bytes
Average packet rate: 542 packets/s
SHA256: 03cdf99c02a73c3a0ada4f857eaffa587fd78d081cc8cd4e0c7b79f1587086fa
RIPEMD160: 78696db33a42825bb42a7c63d0fc6053cc88e851
SHA1: 7c9d9db15cfa4c237c16289862e9b1cde08a760f
Strict time order: False
Capture hardware: Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz (with SSE4.2)
Capture oper-sys: 64-bit Windows 10 (1809), build 17763
Capture application: Dumpcap (Wireshark) 3.4.7 (v3.4.7-0-ge42cbf6a415f)
Capture comment: test
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{15DAC5F9-EEF5-4A7E-A590-E0968FC225A4}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 1
Number of packets = 20348
Packet selection
数据包选取选项,主要包括以下:
Packet selection:
-r keep the selected packets; default is to delete them.
-A <start time> only read packets whose timestamp is after (or equal
to) the given time.
-B <stop time> only read packets whose timestamp is before the
given time.
Time format for -A/-B options is
YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
Unix epoch timestamps are also supported.
$ editcap -r test.pcapng test1.pcapng 1-10
保留 test.pcapng 中 1#-10# 的数据包,然后保存为 test1.pcapng
$ editcap -r test.pcapng test1.pcapng 10
保留 test.pcapng 中 10# 的数据包,然后保存为 test1.pcapng
$ editcap -A "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间之后的数据包,然后保存为 test1.pcapng
$ editcap -B "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间之前的数据包,然后保存为 test1.pcapng
$ editcap -A "2021-08-15 21:34:30" -B "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间前后的数据包,然后保存为 test1.pcapng
Duplicate packet removal
重复数据包删除选项,主要包括以下:
Duplicate packet removal:
--novlan remove vlan info from packets before checking for duplicates.
-d remove packet if duplicate (window == 5).
-D <dup window> remove packet if duplicate; configurable <dup window>.
Valid <dup window> values are 0 to 1000000.
NOTE: A <dup window> of 0 with -v (verbose option) is
useful to print MD5 hashes.
-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
LESS THAN <dup time window> prior to current packet.
A <dup time window> is specified in relative seconds
(e.g. 0.000001).
NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -v may not always work as expected.
Specifically the -r, -t or -S options will very likely NOT have the
desired effect if combined with the -d, -D or -w.
--skip-radiotap-header skip radiotap header when checking for packet duplicates.
Useful when processing packets captured by multiple radios
on the same channel in the vicinity of each other.
$ editcap --novlan test.pcapng test1.pcapng
跟踪文件实测实际无效果,查询文档或与数据包文件相关,需满足 linux sll + vlan 条件的数据包文件。
$ editcap -d test.pcapng test1.pcapng
2 packets seen, 1 packet skipped with duplicate window of 5 packets.
尝试删除重复的数据包,将当前报文的长度和MD5哈希值与前4个报文进行比较。如果找到匹配,则删除当前报文。这个选项相当于使用选项-D 5。
$ editcap -d -D 6 test1.pcapng test2.pcapng
6 packets seen, 1 packet skipped with duplicate window of 6 packets.
6个窗口,即将当前报文的长度和MD5哈希值与前5个报文进行比较。
$ editcap -D 0 -V test1.pcapng test2.pcapng
File test1.pcapng is a InfoVista 5View capture capture file.
Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5bacc
Packet: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0cc
Packet: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148
Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9
Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
6 packets seen, 0 packets skipped with duplicate window of 0 packets.
$ editcap -w 0.000015 test.pcapng test2.pcapng
6 packets seen, 1 packet skipped with duplicate time window equal to or less than 0.000015000 seconds.
$ editcap --skip-radiotap-header
当检查数据包重复时跳过 radiotap 头部。因无合适数据包文件,暂无测试。
Packet manipulation
数据包编辑操作选项,主要包括以下:
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
chop at the packet beginning, negative values at the
packet end. If an optional offset precedes the length,
then the bytes chopped will be offset from that value.
Positive offsets are from the packet beginning,
negative offsets are from the packet end. You can use
this option more than once, allowing up to 2 chopping
regions within a packet provided that at least 1
choplen is positive and at least 1 is negative.
-L adjust the frame (i.e. reported) length when chopping
and/or snapping.
-t <time adjustment> adjust the timestamp of each packet.
<time adjustment> is in relative seconds (e.g. -0.5).
-S <strict adjustment> adjust timestamp of packets if necessary to ensure
strict chronological increasing order. The <strict
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E <error probability> set the probability (between 0.0 and 1.0 incl.) that
a particular packet byte will be randomly changed.
-o <change offset> When used in conjunction with -E, skip some bytes from the
beginning of the packet. This allows one to preserve some
bytes, in order to have some headers untouched.
--seed <seed> When used in conjunction with -E, set the seed to use for
the pseudo-random number generator. This allows one to
repeat a particular sequence of errors.
-I <bytes to ignore> ignore the specified number of bytes at the beginning
of the frame during MD5 hash calculation, unless the
frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on
several routers (different mac addresses for
example).
e.g. -I 26 in case of Ether/IP will ignore
ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
-a <framenum>:<comment> Add or replace comment for given frame number
$ editcap -s 60 test.pcapng test1.pcapng
按 60 字节长度截断数据包。
$ editcap -C 12:4 test.pcapng test2.pcapng
删除 vlan
+---+-------+-----------+---------------+-------------------+
| 5 | 10 | 15 | 20 | 25 |
+---+-------+-----------+---------------+-------------------+
删除 10 和 20 区域字节
$ editcap -C 5:10 -C -25:-20 test1.pcapng test2.pcapng
$ editcap -C 5:10 -C 50:-20 test1.pcapng test2.pcapng
$ editcap -C -70:10 -C -25:-20 test1.pcapng test2.pcapng
$ editcap -C -70:10 -C 50:-20 test1.pcapng test2.pcapng
$ editcap -C 30:20 -C -60:-10 test1.pcapng test2.pcapng
$ editcap -C 30:20 -C 15:-10 test1.pcapng test2.pcapng
$ editcap -C -45:20 -C -60:-10 test1.pcapng test2.pcapng
$ editcap -C -45:20 -C 15:-10 test1.pcapng test2.pcapng
$ editcap -L -C 12:4 test.pcapng test2.pcapng
无 -L 时,-C 删除 4 字节,最终会显示 Frame 长度 112 ,捕获长度 108;有 -L 时,-C 删除 4 字节,最终会显示 Frame 长度 108 ,捕获长度 108 。
$ editcap -t -1 test.pcapng test2.pcapng
每个数据包往前调整1s
$ editcap -S -1 test.pcapng test2.pcapng
每个数据包按 1s 时间顺序递增
$ editcap -E -0.2 test.pcapng test2.pcapng
设置随机改变一个特定数据包字节的概率为 0.2 。此选项用于模糊测试协议解析器。
$ editcap -E -0.2 -o 34 test.pcapng test2.pcapng
跳过数据包开头的 34 字节,设置随机改变一个特定数据包字节的概率为 0.2。
$ editcap -E -0.2 --seed 10 test.pcapng test2.pcapng
设置伪随机数生成器的种子,这允许重复特定的错误序列。
$ editcap -d -I 26 test.pcapng test2.pcapng
20348 packets seen, 11 packets skipped with duplicate window of 5 packets.
在MD5哈希计算时,忽略帧开始的指定字节数,除非该帧太短,否则将使用完整帧。
$ editcap -a 1:"test teset" test.pcapng test2.pcapng
增加或替换指定数据包的注释
Output File(s)
输出文件选项,主要包括以下:
Output File(s):
-c <packets per file> split the packet output to different files based on
uniform packet counts with a maximum of
<packets per file> each.
-i <seconds per file> split the packet output to different files based on
uniform time intervals with a maximum of
<seconds per file> each.
-F <capture type> set the output file type; default is pcapng.
An empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type; default is the
same as the input file. An empty "-T" option will
list the encapsulation types.
--inject-secrets <type>,<file> Insert decryption secrets from <file>. List
supported secret types with "--inject-secrets help".
--discard-all-secrets Discard all decryption secrets from the input file
when writing the output file. Does not discard
secrets added by "--inject-secrets" in the same
command line.
--capture-comment <comment>
Add a capture file comment, if supported.
--discard-capture-comment
Discard capture file comments from the input file
when writing the output file. Does not discard
comments added by "--capture-comment" in the same
command line.
$ editcap -c 4 icmp.pcapng icmp1.pcapng
每 4 个包分成一个文件,从00000开始,然后是它的第一个包的时间戳。如果输入文件不包含时间戳信息,则省略时间戳。
譬如 icmp.pcapng 中一共 16 个数据包,分割成了 icmp1_00000_20210704113248.pcapng、icmp1_00001_20210704113249.pcapng、icmp1_00002_20210704113250.pcapng、icmp1_00003_20210704113251.pcapng 4个文件。
$ editcap -i 1 icmp.pcapng icmp1.pcapng
根据统一的时间间隔将数据包输出分割到不同的文件,每个文件的最大间隔为 1 秒。允许使用浮点值(例如0.5)。
$ editcap -F
editcap: The available capture file types for the "-F" flag are:
pcap - Wireshark/tcpdump/... - pcap
pcapng - Wireshark/... - pcapng
5views - InfoVista 5View capture
btsnoop - Symbian OS btsnoop
commview-ncf - TamoSoft CommView NCF
commview-ncfx - TamoSoft CommView NCFX
dct2000 - Catapult DCT2000 trace (.out format)
erf - Endace ERF capture
eyesdn - EyeSDN USB S0/E1 ISDN trace format
k12text - K12 text file
lanalyzer - Novell LANalyzer
logcat - Android Logcat Binary format
logcat-brief - Android Logcat Brief text format
logcat-long - Android Logcat Long text format
logcat-process - Android Logcat Process text format
logcat-tag - Android Logcat Tag text format
logcat-thread - Android Logcat Thread text format
logcat-threadtime - Android Logcat Threadtime text format
logcat-time - Android Logcat Time text format
modpcap - Modified tcpdump - pcap
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
ngsniffer - Sniffer (DOS)
ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
ngwsniffer_2_0 - Sniffer (Windows) 2.00x
nokiapcap - Nokia tcpdump - pcap
nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
nstrace30 - NetScaler Trace (Version 3.0)
nstrace35 - NetScaler Trace (Version 3.5)
observer - Viavi Observer
rf5 - Tektronix K12xx 32-bit .rf5 format
rh6_1pcap - RedHat 6.1 tcpdump - pcap
snoop - Sun snoop
suse6_3pcap - SuSE 6.3 tcpdump - pcap
visual - Visual Networks traffic capture
$ editcap -F pcap
设置输出捕获文件的文件格式。缺省为pcapng格式。
$ editcap -T
editcap: The available encapsulation types for the "-T" flag are:
ap1394 - Apple IP-over-IEEE 1394
arcnet - ARCNET
arcnet_linux - Linux ARCNET
ascend - Lucent/Ascend access equipment
atm-pdus - ATM PDUs
atm-pdus-untruncated - ATM PDUs - untruncated
atm-rfc1483 - RFC 1483 ATM
ax25 - Amateur Radio AX.25
ax25-kiss - AX.25 with KISS header
bacnet-ms-tp - BACnet MS/TP
bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
ber - ASN.1 Basic Encoding Rules
bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF
bluetooth-h4 - Bluetooth H4
bluetooth-h4-linux - Bluetooth H4 with linux header
bluetooth-hci - Bluetooth without transport layer
bluetooth-le-ll - Bluetooth Low Energy Link Layer
bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF
bluetooth-linux-monitor - Bluetooth Linux Monitor
can20b - Controller Area Network 2.0B
chdlc - Cisco HDLC
chdlc-with-direction - Cisco HDLC with Directional Info
cosine - CoSine L2 debug log
dbus - D-Bus
dct2000 - Catapult DCT2000
docsis - Data Over Cable Service Interface Specification
docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header
dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header
dpnss_link - Digital Private Signalling System No 1 Link Layer
dvbci - DVB-CI (Common Interface)
ebhscr - Elektrobit High Speed Capture and Replay
enc - OpenBSD enc(4) encapsulating interface
epon - Ethernet Passive Optical Network
erf - Extensible Record Format
eri_enb_log - Ericsson eNode-B raw log
ether - Ethernet
ether-mpacket - IEEE 802.3br mPackets
ether-nettl - Ethernet with nettl headers
etw - Event Tracing for Windows messages
fc2 - Fibre Channel FC-2
fc2sof - Fibre Channel FC-2 With Frame Delimiter
fddi - FDDI
fddi-nettl - FDDI with nettl headers
fddi-swapped - FDDI with bit-swapped MAC addresses
flexray - FlexRay
frelay - Frame Relay
frelay-with-direction - Frame Relay with Directional Info
gcom-serial - GCOM Serial
gcom-tie1 - GCOM TIE1
gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode
gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode
gprs-llc - GPRS LLC
gsm_um - GSM Um Interface
hhdlc - HiPath HDLC
i2c-linux - I2C with Linux-specific pseudo-header
ieee-802-11 - IEEE 802.11 Wireless LAN
ieee-802-11-avs - IEEE 802.11 plus AVS radio header
ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
infiniband - InfiniBand
ios - Cisco IOS internal
ip-ib - IP over IB
ip-over-fc - RFC 2625 IP-over-Fibre Channel
ip-over-ib - IP over InfiniBand
ipfix - RFC 5655/RFC 5101 IPFIX
ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header
ipmi-trace - IPMI Trace Data Collection
ipnet - Solaris IPNET
irda - IrDA
isdn - ISDN
iso14443 - ISO 14443 contactless smartcard standards
ixveriwave - IxVeriWave header and stats block
jfif - JPEG/JFIF
json - JavaScript Object Notation
juniper-atm1 - Juniper ATM1
juniper-atm2 - Juniper ATM2
juniper-chdlc - Juniper C-HDLC
juniper-ether - Juniper Ethernet
juniper-frelay - Juniper Frame-Relay
juniper-ggsn - Juniper GGSN
juniper-mlfr - Juniper MLFR
juniper-mlppp - Juniper MLPPP
juniper-ppp - Juniper PPP
juniper-pppoe - Juniper PPPoE
juniper-st - Juniper Secure Tunnel Information
juniper-svcs - Juniper Services
juniper-vn - Juniper VN
juniper-vp - Juniper Voice PIC
k12 - K12 protocol analyzer
lapb - LAPB
lapd - LAPD
layer1-event - EyeSDN Layer 1 event
lin - Local Interconnect Network
linux-atm-clip - Linux ATM CLIP
linux-lapd - LAPD with Linux pseudo-header
linux-sll - Linux cooked-mode capture v1
linux-sll2 - Linux cooked-mode capture v2
log_3GPP - 3GPP Phone Log
logcat - Android Logcat Binary format
logcat_brief - Android Logcat Brief text format
logcat_long - Android Logcat Long text format
logcat_process - Android Logcat Process text format
logcat_tag - Android Logcat Tag text format
logcat_thread - Android Logcat Thread text format
logcat_threadtime - Android Logcat Threadtime text format
logcat_time - Android Logcat Time text format
loop - OpenBSD loopback
loratap - LoRaTap
ltalk - Localtalk
message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4
message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6
message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4
message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6
message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4
message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6
mime - MIME
most - Media Oriented Systems Transport
mp2ts - ISO/IEC 13818-1 MPEG2-TS
mp4 - MP4 files
mpeg - MPEG
mtp2 - SS7 MTP2
mtp2-with-phdr - MTP2 with pseudoheader
mtp3 - SS7 MTP3
mux27010 - MUX27010
netanalyzer - Hilscher netANALYZER
netanalyzer-transparent - Hilscher netANALYZER-Transparent
netlink - Linux Netlink
netmon_event - Network Monitor Network Event
netmon_filter - Network Monitor Filter
netmon_header - Network Monitor Header
netmon_network_info - Network Monitor Network Info
nfc-llcp - NFC LLCP
nflog - NFLOG
nordic_ble - nRF Sniffer for Bluetooth LE
nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
nstrace30 - NetScaler Encapsulation 3.0 of Ethernet
nstrace35 - NetScaler Encapsulation 3.5 of Ethernet
null - NULL/Loopback
packetlogger - Apple Bluetooth PacketLogger
pflog - OpenBSD PF Firewall logs
pflog-old - OpenBSD PF Firewall logs, pre-3.4
pktap - Apple PKTAP
ppi - Per-Packet Information header
ppp - PPP
ppp-with-direction - PPP with Directional Info
pppoes - PPP-over-Ethernet session
raw-icmp-nettl - Raw ICMP with nettl headers
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
raw-telnet-nettl - Raw telnet with nettl headers
rawip - Raw IP
rawip-nettl - Raw IP with nettl headers
rawip4 - Raw IPv4
rawip6 - Raw IPv6
redback - Redback SmartEdge
rfc7468 - RFC 7468 file
rtac-serial - RTAC serial-line
ruby_marshal - Ruby marshal object
s4607 - STANAG 4607
s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)
sccp - SS7 SCCP
sctp - SCTP
sdh - SDH
sdjournal - systemd journal
sdlc - SDLC
sita-wan - SITA WAN packets
slip - SLIP
socketcan - SocketCAN
symantec - Symantec Enterprise Firewall
tnef - Transport-Neutral Encapsulation Format
tr - Token Ring
tr-nettl - Token Ring with nettl headers
tzsp - Tazmen sniffer protocol
unknown - Unknown
unknown-nettl - Unknown link-layer type with nettl headers
usb-20 - USB 2.0/1.1/1.0 packets
usb-darwin - USB packets with Darwin (macOS, etc.) headers
usb-freebsd - USB packets with FreeBSD header
usb-linux - USB packets with Linux header
usb-linux-mmap - USB packets with Linux header and padding
usb-usbpcap - USB packets with USBPcap header
user0 - USER 0
user1 - USER 1
user2 - USER 2
user3 - USER 3
user4 - USER 4
user5 - USER 5
user6 - USER 6
user7 - USER 7
user8 - USER 8
user9 - USER 9
user10 - USER 10
user11 - USER 11
user12 - USER 12
user13 - USER 13
user14 - USER 14
user15 - USER 15
v5-ef - V5 Envelope Function
vpp - Vector Packet Processing graph dispatch trace
vsock - Linux vsock
whdlc - Wellfleet HDLC
wireshark-upper-pdu - Wireshark Upper PDU export
wpan - IEEE 802.15.4 Wireless PAN
wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header
x2e-serial - X2E serial line capture
x2e-xoraya - X2E Xoraya
x25-nettl - X.25 with nettl headers
xeth - Xerox 3MB Ethernet
zwave-serial - Z-Wave Serial API packets
$ editcap -T linux-sll
设置输出捕获文件的包封装类型。如果 -T 用于指定封装类型,输出捕获文件的封装类型将被强制为指定类型。默认类型适合于输入捕获文件的封装类型。
$ editcap --inject-secrets <secrets type>,<file>
$ editcap --inject-secrets help
tls
wg
$ editcap --inject-secrets tls,tls.log test.pcapng test1.pcapng
将tls密钥加进test.pcapng中的 Decryption Secrets Block (DSB),输出test1.pcapng
$ editcap --discard-all-secrets test1.pcapng test.pcapng
当写入输出文件时,丢弃输入文件中的所有解密密钥。
$ editcap --capture-comment "test test" test.pcapng test1.pcapng
将给定的注释添加到输出文件中,如果输出文件格式支持的话,将在输入文件中出现的任何注释之后添加新的注释。此选项可以指定多次。注意,Wireshark 目前只显示捕获文件的第一个注释。
$ editcap --discard-capture-comment test1.pcapng test.pcapng
丢弃来自输入文件的所有捕获文件注释。
Miscellaneous
杂项选项,主要包括以下:
Miscellaneous:
-h, --help display this help and exit.
-V verbose output.
If -V is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-error.
-v, --version print version information and exit.
$ editcap -h
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Edit and/or translate the format of capture files.
See https://www.wireshark.org for more information.
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.
Packet selection:
-r keep the selected packets; default is to delete them.
-A <start time> only read packets whose timestamp is after (or equal
to) the given time.
-B <stop time> only read packets whose timestamp is before the
given time.
Time format for -A/-B options is
YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
Unix epoch timestamps are also supported.
Duplicate packet removal:
--novlan remove vlan info from packets before checking for duplicates.
-d remove packet if duplicate (window == 5).
-D <dup window> remove packet if duplicate; configurable <dup window>.
Valid <dup window> values are 0 to 1000000.
NOTE: A <dup window> of 0 with -V (verbose option) is
useful to print MD5 hashes.
-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
LESS THAN <dup time window> prior to current packet.
A <dup time window> is specified in relative seconds
(e.g. 0.000001).
NOTE: The use of the 'Duplicate packet removal' options with
other editcap options except -V may not always work as expected.
Specifically the -r, -t or -S options will very likely NOT have the
desired effect if combined with the -d, -D or -w.
--skip-radiotap-header skip radiotap header when checking for packet duplicates.
Useful when processing packets captured by multiple radios
on the same channel in the vicinity of each other.
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
chop at the packet beginning, negative values at the
packet end. If an optional offset precedes the length,
then the bytes chopped will be offset from that value.
Positive offsets are from the packet beginning,
negative offsets are from the packet end. You can use
this option more than once, allowing up to 2 chopping
regions within a packet provided that at least 1
choplen is positive and at least 1 is negative.
-L adjust the frame (i.e. reported) length when chopping
and/or snapping.
-t <time adjustment> adjust the timestamp of each packet.
<time adjustment> is in relative seconds (e.g. -0.5).
-S <strict adjustment> adjust timestamp of packets if necessary to ensure
strict chronological increasing order. The <strict
adjustment> is specified in relative seconds with
values of 0 or 0.000001 being the most reasonable.
A negative adjustment value will modify timestamps so
that each packet's delta time is the absolute value
of the adjustment specified. A value of -0 will set
all packets to the timestamp of the first packet.
-E <error probability> set the probability (between 0.0 and 1.0 incl.) that
a particular packet byte will be randomly changed.
-o <change offset> When used in conjunction with -E, skip some bytes from the
beginning of the packet. This allows one to preserve some
bytes, in order to have some headers untouched.
--seed <seed> When used in conjunction with -E, set the seed to use for
the pseudo-random number generator. This allows one to
repeat a particular sequence of errors.
-I <bytes to ignore> ignore the specified number of bytes at the beginning
of the frame during MD5 hash calculation, unless the
frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on
several routers (different mac addresses for
example).
e.g. -I 26 in case of Ether/IP will ignore
ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
-a <framenum>:<comment> Add or replace comment for given frame number
Output File(s):
-c <packets per file> split the packet output to different files based on
uniform packet counts with a maximum of
<packets per file> each.
-i <seconds per file> split the packet output to different files based on
uniform time intervals with a maximum of
<seconds per file> each.
-F <capture type> set the output file type; default is pcapng.
An empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type; default is the
same as the input file. An empty "-T" option will
list the encapsulation types.
--inject-secrets <type>,<file> Insert decryption secrets from <file>. List
supported secret types with "--inject-secrets help".
--discard-all-secrets Discard all decryption secrets from the input file
when writing the output file. Does not discard
secrets added by "--inject-secrets" in the same
command line.
--capture-comment <comment>
Add a capture file comment, if supported.
--discard-capture-comment
Discard capture file comments from the input file
when writing the output file. Does not discard
comments added by "--capture-comment" in the same
command line.
Miscellaneous:
-h, --help display this help and exit.
-V verbose output.
If -V is used with any of the 'Duplicate Packet
Removal' options (-d, -D or -w) then Packet lengths
and MD5 hashes are printed to standard-error.
-v, --version print version information and exit.
$ editcap -rV test.pcapng test1.pcapng 1
File test.pcapng is a InfoVista 5View capture capture file.
Add_Selected: 1
Not inclusive ... 1
Packet: 1
$ editcap -dV test.pcapng test1.pcapng
File test.pcapng is a InfoVista 5View capture capture file.
Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5bacc
Packet: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0cc
Packet: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148
Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9
Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
6 packets seen, 0 packets skipped with duplicate window of 5 packets.
$ editcap -v
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b).
Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.
Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib
2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported.