如何使用capedit分割数据包文件

wireshark是一个网络数据包的分析工具，主要用来捕获网卡上的数据包并显示数据包的详细内容。在处理一些大的数据包文件时，如果直接用wireshark图形工具打开一些大文件的数据包会出现响应慢甚至没有响应的情况，所以可以用wireshark带的一些命令集工具程序来处理数据包文件，本章着重讲数据包文件的分割。

1、打开dos命令行，通过capinfos <filename>命令查看数据包文件的基本信息，包括文件的大小、报文数量等：(如果无法执行命令则需要在环境变量中添加wireshark程序集的安装路径)

PS E:capture> capinfos .1000kb.pcap
File name:           .1000kb.pcap
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   9238
File size:           4627 kB
Data size:           4321 kB
Capture duration:    305.585406 seconds
First packet time:   2017-09-27 16:23:07.550690
Last packet time:    2017-09-27 16:28:13.136096
Data byte rate:      14 kBps
Data bit rate:       113 kbps
Average packet size: 467.76 bytes
Average packet rate: 30 packets/s
SHA1:                31280cb3fd0c1e70f8a9fc9a14ce45b4f52b51a8
RIPEMD160:           f4ee9d62113b55ceee6a394228d31910be745dc0
MD5:                 18b9363419eb9db0afd6b8a4145a57c7
Strict time order:   True

//这一部分信息是捕获这个数据包的系统和网卡信息，不是每一个文件都会包含这一部分信息的
Capture hardware:    Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz (with SSE4.2)
Capture oper-sys:    64-bit Windows 10, build 14393
Capture application: Dumpcap (Wireshark) 2.4.1 (v2.4.1-0-gf42a0d2b6c)
Number of interfaces in file: 1
Interface #0 info:
                     Name = DeviceNPF_{2B766845-80BC-4981-948B-8B8B27FF5AE1}
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 65535
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Time resolution = 0x06
                     Operating system = 64-bit Windows 10, build 14393
                     Number of stat entries = 1
                     Number of packets = 9238

2、按指定报文数量进行分割：editcap –c <count> <input_filename> <output_filename>,例如以每个文件2000个数据包分割一个8k+数据包文件：

PS E:capture> capinfos .internet.pcap
File name:           .internet.pcap
File type:           Wireshark/tcpdump/... - pcap
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: 262144 bytes
Number of packets:   8868
File size:           6314 kB
Data size:           6172 kB
Capture duration:    29.186309 seconds
First packet time:   2017-01-04 20:58:09.045419
Last packet time:    2017-01-04 20:58:38.231728
Data byte rate:      211 kBps
Data bit rate:       1691 kbps
Average packet size: 696.04 bytes
Average packet rate: 303 packets/s
SHA1:                308106d42663b6daea5f078779e112e2457975b4
RIPEMD160:           13b91a516eb825dbdceb5d291fea5343a5fb6629
MD5:                 5320ddbbef7a7f25d8b17a964dbfb40d
Strict time order:   True
Number of interfaces in file: 1
Interface #0 info:
                     Encapsulation = Ethernet (1 - ether)
                     Capture length = 262144
                     Time precision = microseconds (6)
                     Time ticks per second = 1000000
                     Number of stat entries = 0
                     Number of packets = 8868
PS E:capture>
PS E:capture> editcap -c 2000 .internet.pcap internet_2000.pcap
PS E:capture>
PS E:capture> ls


    目录: E:capture


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2017/9/27     16:28        4627932 1000kb.pcap
-a----         2017/1/4     20:21             94 doff.pcap
-a----        2017/9/27     16:30           2596 httphostaddrs.txt
-a----         2017/1/4     20:58        6314391 internet.pcap
-a----        2017/9/28     14:55        1596712 internet_2000_00000_20170104205809.pcap
-a----        2017/9/28     14:55        1719644 internet_2000_00001_20170104205813.pcap
-a----        2017/9/28     14:55        1736972 internet_2000_00002_20170104205813.pcap
-a----        2017/9/28     14:55        1153596 internet_2000_00003_20170104205814.pcap
-a----        2017/9/28     14:55         265720 internet_2000_00004_20170104205828.pcap
-a----        2017/1/10     10:24          43825 ipv6.pcap
-a----        2017/1/10     10:24            262 ipv61.pcap
-a----        2017/1/10     10:25            254 ipv62.pcap
-a----        2017/1/10     13:47            154 ipv6_tester1.pcap
-a----        2017/1/12     11:44            100 vlan1002.pcap
-a----        2017/3/17     18:11        1121384 webauth.pcapng


PS E:capture>
PS E:capture> start .internet_2000_00000_20170104205809.pcap

分割文件命名：会以序号加上每个文件的报文起始时间为命名，可以打开分割后的文件查看：

在文件>文件集合>列出文件 可以快速切换到其他分割的文件：

3、按指定时间间隔进行分割：editcap –i <time> <input_filename> <output_filename>,例如以每个文件包含10s数据包分割数据包文件：

PS E:capture> editcap -i 10 .internet.pcap internet_10s.pcap
PS E:capture>
PS E:capture> ls


    目录: E:capture


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        2017/9/27     16:28        4627932 1000kb.pcap
-a----         2017/1/4     20:21             94 doff.pcap
-a----        2017/9/27     16:30           2596 httphostaddrs.txt
-a----         2017/1/4     20:58        6314391 internet.pcap
-a----        2017/9/28     15:16        6041588 internet_10s_00000_20170104205809.pcap
-a----        2017/9/28     15:16         180956 internet_10s_00001_20170104205819.pcap
-a----        2017/9/28     15:16         249956 internet_10s_00002_20170104205829.pcap
-a----        2017/1/10     10:24          43825 ipv6.pcap
-a----        2017/1/10     10:24            262 ipv61.pcap
-a----        2017/1/10     10:25            254 ipv62.pcap
-a----        2017/1/10     13:47            154 ipv6_tester1.pcap
-a----        2017/1/12     11:44            100 vlan1002.pcap
-a----        2017/3/17     18:11        1121384 webauth.pcapng


PS E:capture> start .internet_10s_00000_20170104205809.pcap
PS E:capture>