1 editcap.exe -h 2 Editcap (Wireshark) 2.4.1 (v2.4.1-0-gf42a0d2b6c) 3 Edit and/or translate the format of capture files. 4 See https://www.wireshark.org for more information. 5 6 Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] 7 8 <infile> and <outfile> must both be present. 9 A single packet or a range of packets can be selected. 10 11 Packet selection: 12 -r keep the selected packets; default is to delete them. 13 -A <start time> only output packets whose timestamp is after (or equal 14 to) the given time (format as YYYY-MM-DD hh:mm:ss). 15 -B <stop time> only output packets whose timestamp is before the 16 given time (format as YYYY-MM-DD hh:mm:ss). 17 18 Duplicate packet removal: 19 --novlan remove vlan info from packets before checking for dupli 20 cates. 21 -d remove packet if duplicate (window == 5). 22 -D <dup window> remove packet if duplicate; configurable <dup window>. 23 Valid <dup window> values are 0 to 1000000. 24 NOTE: A <dup window> of 0 with -v (verbose option) is 25 useful to print MD5 hashes. 26 -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR 27 LESS THAN <dup time window> prior to current packet. 28 A <dup time window> is specified in relative seconds 29 (e.g. 0.000001). 30 -a <framenum>:<comment> Add or replace comment for given frame number 31 32 -I <bytes to ignore> ignore the specified number of bytes at the beginning 33 of the frame during MD5 hash calculation, unless the 34 frame is too short, then the full frame is used. 35 Useful to remove duplicated packets taken on 36 several routers (different mac addresses for 37 example). 38 e.g. -I 26 in case of Ether/IP will ignore 39 ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). 40 41 NOTE: The use of the 'Duplicate packet removal' options with 42 other editcap options except -v may not always work as expected. 43 Specifically the -r, -t or -S options will very likely NOT have the 44 desired effect if combined with the -d, -D or -w. 45 46 Packet manipulation: 47 -s <snaplen> truncate each packet to max. <snaplen> bytes of data. 48 -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values 49 chop at the packet beginning, negative values at the 50 packet end. If an optional offset precedes the length, 51 then the bytes chopped will be offset from that value. 52 Positive offsets are from the packet beginning, 53 negative offsets are from the packet end. You can use 54 this option more than once, allowing up to 2 chopping 55 regions within a packet provided that at least 1 56 choplen is positive and at least 1 is negative. 57 -L adjust the frame (i.e. reported) length when chopping 58 and/or snapping. 59 -t <time adjustment> adjust the timestamp of each packet. 60 <time adjustment> is in relative seconds (e.g. -0.5). 61 -S <strict adjustment> adjust timestamp of packets if necessary to ensure 62 strict chronological increasing order. The <strict 63 adjustment> is specified in relative seconds with 64 values of 0 or 0.000001 being the most reasonable. 65 A negative adjustment value will modify timestamps so 66 that each packet's delta time is the absolute value 67 of the adjustment specified. A value of -0 will set 68 all packets to the timestamp of the first packet. 69 -E <error probability> set the probability (between 0.0 and 1.0 incl.) that 70 a particular packet byte will be randomly changed. 71 -o <change offset> When used in conjunction with -E, skip some bytes from 72 the 73 beginning of the packet. This allows one to preserve so 74 me 75 bytes, in order to have some headers untouched. 76 77 Output File(s): 78 -c <packets per file> split the packet output to different files based on 79 uniform packet counts with a maximum of 80 <packets per file> each. 81 -i <seconds per file> split the packet output to different files based on 82 uniform time intervals with a maximum of 83 <seconds per file> each. 84 -F <capture type> set the output file type; default is pcapng. An empty 85 "-F" option will list the file types. 86 -T <encap type> set the output file encapsulation type; default is the 87 same as the input file. An empty "-T" option will 88 list the encapsulation types. 89 90 Miscellaneous: 91 -h display this help and exit. 92 -v verbose output. 93 If -v is used with any of the 'Duplicate Packet 94 Removal' options (-d, -D or -w) then Packet lengths 95 and MD5 hashes are printed to standard-error. 96
97 98 editcap.exe -F 99 editcap.exe: option requires an argument -- 'F' 100 editcap: The available capture file types for the "-F" flag are: 101 5views - InfoVista 5View capture 102 btsnoop - Symbian OS btsnoop 103 commview - TamoSoft CommView 104 dct2000 - Catapult DCT2000 trace (.out format) 105 erf - Endace ERF capture 106 eyesdn - EyeSDN USB S0/E1 ISDN trace format 107 k12text - K12 text file 108 lanalyzer - Novell LANalyzer 109 logcat - Android Logcat Binary format 110 logcat-brief - Android Logcat Brief text format 111 logcat-long - Android Logcat Long text format 112 logcat-process - Android Logcat Process text format 113 logcat-tag - Android Logcat Tag text format 114 logcat-thread - Android Logcat Thread text format 115 logcat-threadtime - Android Logcat Threadtime text format 116 logcat-time - Android Logcat Time text format 117 modpcap - Modified tcpdump - pcap 118 netmon1 - Microsoft NetMon 1.x 119 netmon2 - Microsoft NetMon 2.x 120 nettl - HP-UX nettl trace 121 ngsniffer - Sniffer (DOS) 122 ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 123 ngwsniffer_2_0 - Sniffer (Windows) 2.00x 124 niobserver - Network Instruments Observer 125 nokiapcap - Nokia tcpdump - pcap 126 nsecpcap - Wireshark/tcpdump/... - nanosecond pcap 127 nstrace10 - NetScaler Trace (Version 1.0) 128 nstrace20 - NetScaler Trace (Version 2.0) 129 nstrace30 - NetScaler Trace (Version 3.0) 130 nstrace35 - NetScaler Trace (Version 3.5) 131 pcap - Wireshark/tcpdump/... - pcap 132 pcapng - Wireshark/... - pcapng 133 rf5 - Tektronix K12xx 32-bit .rf5 format 134 rh6_1pcap - RedHat 6.1 tcpdump - pcap 135 snoop - Sun snoop 136 suse6_3pcap - SuSE 6.3 tcpdump - pcap 137 visual - Visual Networks traffic capture
editcap是Wireshark的一個組件,在Windows平台下,只要完成Wireshark的安裝,就可以在安裝目錄中看到editcap.exe。editcap.exe需要在命令行中使用。
對於用Endace DAG捕捉卡捕獲的數據包,一般來說,都是erf格式的。ERF格式全稱是Extensible Record Format,具體格式參見http://wiki.wireshark.org/ERF。可以看到,這和pcap文件格式是完全不同的,一般來說,ERF格式的文件包含更多的鏈路層的信息。
但是大多數情況下,我們基於wireshark源碼改寫的程序都只能讀取pcap文件,所以我們更希望能將ERF文件轉為pcap文件。這時我們就可以使用editcap命令來完成這個工作。
首先舉一個最簡單的例子,使用下面的命令可以直接將erf文件轉換為pcap文件。
1 editcap.exe -F pcap -T ether erf-ethernet-example.erf erf-ethernet-example.pcap
下面介紹一下editcap的各種參數。
1、-F <file format> 上面剛剛用到的。指定輸出文件的格式,使用 editcap -F 命令可以列出所有支持的格式。我們要pcap,那就寫pcap唄。此外,在linux平台下轉化為pcap文件時,應當使用 "libpcap" 關鍵字,記得要先安裝libpcap庫啊。
2、-T <encapsulation format> 上面也用到。這個是指包裝類型,使用 editcap -T 命令可以列出所有支持的格式。所謂包裝類型,就是指你需要讓數據部分包含從哪一層開始的數據,ether那就是鏈路層的(以太網),ip就是網絡層的,tcp什么的也是可以的啦。
3、-s <snaplen> 這是個類似於tcpdump的功能,后邊接變量snaplen使用,就是指截斷長度了,這個不是從數據部分開始截,而是從數據部分中,ethernet/ip header/tcp header部分往后的有效負載(payload)部分往后截的。
4、-c <packet per file> 這是個碉堡了的功能,有些人搞不動太大的包,比如某些數據集,提供的數據文件動輒2G起,一次處理不了怎么辦?用-c命令就OK了。每個文件指定一定數量的包,存夠了就寫到下一個文件里。這些文件的具體的命名方式是,在你指定的文件名之后加入數字后綴。
5、-C <choplen> 這又是個碉堡了的功能,可以直接從數據包上切一截子下來。字面意思已經很明顯了,chop就是剁,剁掉數據包中間的一段。按照editcap命令給出的在線文檔中舉的例子,使用這個命令可以很輕松的搞定那些攜帶802.1q的VLAN tag的包,切掉數據包的第12-15個字節(共4字節)就OK了,切掉之后對別的數據都不影響,就跟沒存在過一樣。具體命令是
1 editcap -L -C 12:4 capture_vlan.pcap capture_no_vlan.pcap
至於-C的參數,變化更是多得很,這里暫時就不展開了。不過不幸的是,好像老版本的-C命令不支持帶冒號的參數,就比如上面這個例子。
6、-A <start time>/-B <stop time> 指定開始時間和結束時間。這個有點像Linux下的某個命令(查證后補上具體是哪個),不過更形象。-A指定開始時間,-B指定結束時間,錄音機我們都用過,這樣聯想一下就簡單了。具體的時間可以使用YYYY-MM-DD HH:MM:SS格式來指定。
7、-D <dup window>/-w <dup time window> 用來嘗試除去記錄文件中的重復包,-D中的dup window參數指定向前檢查的包的個數,-w中的dup time window指定向前檢查的時間的長度。
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
editcap -s 64 -F snoop capture.pcap shortcapture.snoop
To delete packet 1000 from the capture file use:
editcap capture.pcap sans1000.pcap 1000
To limit a capture file to packets from number 200 to 750 (inclusive) use:
editcap -r capture.pcap small.pcap 200-750
To get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
or
editcap capture.pcap first500.pcap 501-9999999
To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
editcap capture.pcap exclude.pcap 1 5 10-20 30-40
To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
editcap -r capture.pcap select.pcap 1 5 10-20 30-40
To remove duplicate packets seen within the prior four frames use:
editcap -d capture.pcap dedup.pcap
To remove duplicate packets seen within the prior 100 frames use:
editcap -D 101 capture.pcap dedup.pcap
To remove duplicate packets seen equal to or less than 1/10th of a second:
editcap -w 0.1 capture.pcap dedup.pcap
To display the MD5 hash for all of the packets (and NOT generate any real output file):
editcap -v -D 0 capture.pcap /dev/null
or on Windows systems
editcap -v -D 0 capture.pcap NUL
To introduce 5% random errors in a capture file use:
editcap -E 0.05 capture.pcap capture_error.pcap