      1 editcap.exe -h
      2 Editcap (Wireshark) 2.4.1 (v2.4.1-0-gf42a0d2b6c)
      3 Edit and/or translate the format of capture files.
      6 Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
      8 <infile> and <outfile> must both be present.
      9 A single packet or a range of packets can be selected.
     11 Packet selection:
     12   -r                     keep the selected packets; default is to delete them.
     13   -A <start time>        only output packets whose timestamp is after (or equal
     14                          to) the given time (format as YYYY-MM-DD hh:mm:ss).
     15   -B <stop time>         only output packets whose timestamp is before the
     16                          given time (format as YYYY-MM-DD hh:mm:ss).
     18 Duplicate packet removal:
     19   --novlan               remove vlan info from packets before checking for dupli
     20 cates.
     21   -d                     remove packet if duplicate (window == 5).
     22   -D <dup window>        remove packet if duplicate; configurable <dup window>.
     23                          Valid <dup window> values are 0 to 1000000.
     24                          NOTE: A <dup window> of 0 with -v (verbose option) is
     25                          useful to print MD5 hashes.
     26   -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
     27                          LESS THAN <dup time window> prior to current packet.
     28                          A <dup time window> is specified in relative seconds
     29                          (e.g. 0.000001).
     30   -a <framenum>:<comment> Add or replace comment for given frame number
     32   -I <bytes to ignore>   ignore the specified number of bytes at the beginning
     33                          of the frame during MD5 hash calculation, unless the
     34                          frame is too short, then the full frame is used.
     35                          Useful to remove duplicated packets taken on
     36                          several routers (different mac addresses for
     37                          example).
     38                          e.g. -I 26 in case of Ether/IP will ignore
     39                          ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
     41            NOTE: The use of the 'Duplicate packet removal' options with
     42            other editcap options except -v may not always work as expected.
     43            Specifically the -r, -t or -S options will very likely NOT have the
     44            desired effect if combined with the -d, -D or -w.
     46 Packet manipulation:
     47   -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
     48   -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
     49                          chop at the packet beginning, negative values at the
     50                          packet end. If an optional offset precedes the length,
     51                          then the bytes chopped will be offset from that value.
     52                          Positive offsets are from the packet beginning,
     53                          negative offsets are from the packet end. You can use
     54                          this option more than once, allowing up to 2 chopping
     55                          regions within a packet provided that at least 1
     56                          choplen is positive and at least 1 is negative.
     57   -L                     adjust the frame (i.e. reported) length when chopping
     58                          and/or snapping.
     59   -t <time adjustment>   adjust the timestamp of each packet.
     60                          <time adjustment> is in relative seconds (e.g. -0.5).
     61   -S <strict adjustment> adjust timestamp of packets if necessary to ensure
     62                          strict chronological increasing order. The <strict
     63                          adjustment> is specified in relative seconds with
     64                          values of 0 or 0.000001 being the most reasonable.
     65                          A negative adjustment value will modify timestamps so
     66                          that each packet's delta time is the absolute value
     67                          of the adjustment specified. A value of -0 will set
     68                          all packets to the timestamp of the first packet.
     69   -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
     70                          a particular packet byte will be randomly changed.
     71   -o <change offset>     When used in conjunction with -E, skip some bytes from
     72 the
     73                          beginning of the packet. This allows one to preserve so
     74 me
     75                          bytes, in order to have some headers untouched.
     77 Output File(s):
     78   -c <packets per file>  split the packet output to different files based on
     79                          uniform packet counts with a maximum of
     80                          <packets per file> each.
     81   -i <seconds per file>  split the packet output to different files based on
     82                          uniform time intervals with a maximum of
     83                          <seconds per file> each.
     84   -F <capture type>      set the output file type; default is pcapng. An empty
     85                          "-F" option will list the file types.
     86   -T <encap type>        set the output file encapsulation type; default is the
     87                          same as the input file. An empty "-T" option will
     88                          list the encapsulation types.
     90 Miscellaneous:
     91   -h                     display this help and exit.
     92   -v                     verbose output.
     93                          If -v is used with any of the 'Duplicate Packet
     94                          Removal' options (-d, -D or -w) then Packet lengths
     95                          and MD5 hashes are printed to standard-error.

     98 editcap.exe -F
     99 editcap.exe: option requires an argument -- 'F'
    100 editcap: The available capture file types for the "-F" flag are:
    101     5views - InfoVista 5View capture
    102     btsnoop - Symbian OS btsnoop
    103     commview - TamoSoft CommView
    104     dct2000 - Catapult DCT2000 trace (.out format)
    105     erf - Endace ERF capture
    106     eyesdn - EyeSDN USB S0/E1 ISDN trace format
    107     k12text - K12 text file
    108     lanalyzer - Novell LANalyzer
    109     logcat - Android Logcat Binary format
    110     logcat-brief - Android Logcat Brief text format
    111     logcat-long - Android Logcat Long text format
    112     logcat-process - Android Logcat Process text format
    113     logcat-tag - Android Logcat Tag text format
    114     logcat-thread - Android Logcat Thread text format
    115     logcat-threadtime - Android Logcat Threadtime text format
    116     logcat-time - Android Logcat Time text format
    117     modpcap - Modified tcpdump - pcap
    118     netmon1 - Microsoft NetMon 1.x
    119     netmon2 - Microsoft NetMon 2.x
    120     nettl - HP-UX nettl trace
    121     ngsniffer - Sniffer (DOS)
    122     ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
    123     ngwsniffer_2_0 - Sniffer (Windows) 2.00x
    124     niobserver - Network Instruments Observer
    125     nokiapcap - Nokia tcpdump - pcap
    126     nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
    127     nstrace10 - NetScaler Trace (Version 1.0)
    128     nstrace20 - NetScaler Trace (Version 2.0)
    129     nstrace30 - NetScaler Trace (Version 3.0)
    130     nstrace35 - NetScaler Trace (Version 3.5)
    131     pcap - Wireshark/tcpdump/... - pcap
    132     pcapng - Wireshark/... - pcapng
    133     rf5 - Tektronix K12xx 32-bit .rf5 format
    134     rh6_1pcap - RedHat 6.1 tcpdump - pcap
    135     snoop - Sun snoop
    136     suse6_3pcap - SuSE 6.3 tcpdump - pcap
    137     visual - Visual Networks traffic capture


    对于用Endace DAG捕捉卡捕获的数据包,一般来说,都是erf格式的。ERF格式全称是Extensible Record Format,具体格式参见http://wiki.wireshark.org/ERF。可以看到,这和pcap文件格式是完全不同的,一般来说,ERF格式的文件包含更多的链路层的信息。



    1 editcap.exe -F pcap -T ether erf-ethernet-example.erf erf-ethernet-example.pcap


    1、-F <file format> 上面刚刚用到的。指定输出文件的格式,使用 editcap -F 命令可以列出所有支持的格式。我们要pcap,那就写pcap呗。此外,在linux平台下转化为pcap文件时,应当使用 "libpcap" 关键字,记得要先安装libpcap库啊。

    2、-T <encapsulation format> 上面也用到。这个是指包装类型,使用 editcap -T 命令可以列出所有支持的格式。所谓包装类型,就是指你需要让数据部分包含从哪一层开始的数据,ether那就是链路层的(以太网),ip就是网络层的,tcp什么的也是可以的啦。

    3、-s <snaplen> 这是个类似于tcpdump的功能,后边接变量snaplen使用,就是指截断长度了,这个不是从数据部分开始截,而是从数据部分中,ethernet/ip header/tcp header部分往后的有效负载(payload)部分往后截的。

    4、-c <packet per file> 这是个碉堡了的功能,有些人搞不动太大的包,比如某些数据集,提供的数据文件动辄2G起,一次处理不了怎么办?用-c命令就OK了。每个文件指定一定数量的包,存够了就写到下一个文件里。这些文件的具体的命名方式是,在你指定的文件名之后加入数字后缀。

    5、-C <choplen> 这又是个碉堡了的功能,可以直接从数据包上切一截子下来。字面意思已经很明显了,chop就是剁,剁掉数据包中间的一段。按照editcap命令给出的在线文档中举的例子,使用这个命令可以很轻松的搞定那些携带802.1q的VLAN tag的包,切掉数据包的第12-15个字节(共4字节)就OK了,切掉之后对别的数据都不影响,就跟没存在过一样。具体命令是

    1 editcap -L -C 12:4 capture_vlan.pcap capture_no_vlan.pcap


    6、-A <start time>/-B <stop time> 指定开始时间和结束时间。这个有点像Linux下的某个命令(查证后补上具体是哪个),不过更形象。-A指定开始时间,-B指定结束时间,录音机我们都用过,这样联想一下就简单了。具体的时间可以使用YYYY-MM-DD HH:MM:SS格式来指定。

    7、-D <dup window>/-w <dup time window> 用来尝试除去记录文件中的重复包,-D中的dup window参数指定向前检查的包的个数,-w中的dup time window指定向前检查的时间的长度。

    To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:

        editcap -s 64 -F snoop capture.pcap shortcapture.snoop

    To delete packet 1000 from the capture file use:

        editcap capture.pcap sans1000.pcap 1000

    To limit a capture file to packets from number 200 to 750 (inclusive) use:

        editcap -r capture.pcap small.pcap 200-750

    To get all packets from number 1-500 (inclusive) use:

        editcap -r capture.pcap first500.pcap 1-500


        editcap capture.pcap first500.pcap 501-9999999

    To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:

        editcap capture.pcap exclude.pcap 1 5 10-20 30-40

    To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:

        editcap -r capture.pcap select.pcap 1 5 10-20 30-40

    To remove duplicate packets seen within the prior four frames use:

        editcap -d capture.pcap dedup.pcap

    To remove duplicate packets seen within the prior 100 frames use:

        editcap -D 101 capture.pcap dedup.pcap

    To remove duplicate packets seen equal to or less than 1/10th of a second:

        editcap -w 0.1 capture.pcap dedup.pcap

    To display the MD5 hash for all of the packets (and NOT generate any real output file):

        editcap -v -D 0 capture.pcap /dev/null

    or on Windows systems

        editcap -v -D 0 capture.pcap NUL

    To introduce 5% random errors in a capture file use:

      editcap -E 0.05 capture.pcap capture_error.pcap
