wireshark/doc/editcap.pod


=head1 NAME

Editcap - Edit and/or translate the format of capture files

=head1 SYNOPSYS

B<editcap>
S<[ B<-F> file format ]>
S<[ B<-T> encapsulation type ]>
S<[ B<-r> ]>
S<[ B<-v> ]>
S<[ B<-h> ]>
I<infile>
I<outfile>
S<[ I<record#> ... ]>

=head1 DESCRIPTION

B<Editcap> is a program that reads a saved capture file and writes some
or all of the packets in that capture file to another capture file.
B<Editcap> knows how to read B<libpcap>
capture files, including those of B<tcpdump>.  In addition, B<Editcap> can
read capture files from B<snoop> (including B<Shomiti>) and B<atmsnoop>,
B<LanAlyzer>, uncompressed B<Sniffer>, Microsoft B<Network Monitor>,
AIX's B<iptrace>, B<NetXray>, B<Sniffer Pro>, B<RADCOM>'s WAN/LAN
analyzer, B<Lucent/Ascend> router debug output, HP-UX's B<nettl>, and
the dump output from B<Toshiba's> ISDN routers.  There is no need to
tell B<Editcap> what type of file you are reading; it will determine the
file type by itself.  B<Editcap> is also capable of reading any of these
file formats if they are compressed using gzip.  B<Editcap> recognizes
this directly from the file; the '.gz' extension is not required for
this purpose.

By default, it writes the capture file in B<libpcap> format, and writes
all of the packets in the capture file to the output file.  The B<-F>
flag can be used to specify the format in which to write the capture
file; it can write the file in B<libpcap> format (standard B<libpcap>
format, a modified format used by some patched versions of B<libpcap>,
or the format used by Red Hat Linux 6.1), B<snoop> format, uncompressed
B<Sniffer> format, Microsoft B<Network Monitor> 1.x format, and the
format used by Windows-based versions of the B<Sniffer> software.

A list of packet numbers can be specified on the command line; the
packets with those numbers will I<not> be written to the capture file,
unless the B<-r> flag is specified, in which case I<only> those packets
will be written to the capture file.

If the B<-T> flag, the encapsulation type of the output capture file
will be forced to the specified type, rather than being the type
appropriate to the encapsulation type of the input capture file.  Note
that this merely forces the encapsulation type of the output file to be
the specified type; the packet headers of the packets will not be
translated from the encapsulation type of the input capture file to the
specified encapsulation type (for example, it will not translate an
Ethernet capture to an FDDI capture if an Ethernet capture is read and
'B<-T fddi>' is specified).

=head1 OPTIONS

=over 4

=item -F

Sets the file format of the output capture file.

=item -T

Sets the packet encapsulation type of the output capture file.

=item -r

Causes the packets whose packet numbers are specified on the command
line to be written to the output capture file, and no other packets to
be written to the output capture file.

=item -v

Causes B<editcap> to print a number of messages while it's working.

=item -h

Prints the version and options and exits.

=head1 SEE ALSO

L<tcpdump(8)>, L<pcap(3)>, L<ethereal(1)>

=head1 NOTES

B<Editcap> is part of the B<Ethereal> distribution.  The latest version
of B<Ethereal> can be found at B<http://ethereal.zing.org>.

=head1 AUTHORS

  Original Author
  -------- ------
  Richard Sharpe           <sharpe@ns.aus.com>


  Contributors
  ------------
  Guy Harris               <guy@alum.mit.edu>
Add a man page for "editcap". svn path=/trunk/; revision=1446 2000-01-09 20:28:26 +00:00
			`=head1 NAME`

			`Editcap - Edit and/or translate the format of capture files`

			`=head1 SYNOPSYS`

			`B<editcap>`
			`S<[ B<-F> file format ]>`
			`S<[ B<-T> encapsulation type ]>`
			`S<[ B<-r> ]>`
			`S<[ B<-v> ]>`
			`S<[ B<-h> ]>`
			`I<infile>`
			`I<outfile>`
			`S<[ I<record#> ... ]>`

			`=head1 DESCRIPTION`

			`B<Editcap> is a program that reads a saved capture file and writes some`
			`or all of the packets in that capture file to another capture file.`
			`B<Editcap> knows how to read B<libpcap>`
			`capture files, including those of B<tcpdump>. In addition, B<Editcap> can`
			`read capture files from B<snoop> (including B<Shomiti>) and B<atmsnoop>,`
			`B<LanAlyzer>, uncompressed B<Sniffer>, Microsoft B<Network Monitor>,`
			`AIX's B<iptrace>, B<NetXray>, B<Sniffer Pro>, B<RADCOM>'s WAN/LAN`
			`analyzer, B<Lucent/Ascend> router debug output, HP-UX's B<nettl>, and`
			`the dump output from B<Toshiba's> ISDN routers. There is no need to`
			`tell B<Editcap> what type of file you are reading; it will determine the`
			`file type by itself. B<Editcap> is also capable of reading any of these`
			`file formats if they are compressed using gzip. B<Editcap> recognizes`
			`this directly from the file; the '.gz' extension is not required for`
			`this purpose.`

			`By default, it writes the capture file in B<libpcap> format, and writes`
			`all of the packets in the capture file to the output file. The B<-F>`
			`flag can be used to specify the format in which to write the capture`
			`file; it can write the file in B<libpcap> format (standard B<libpcap>`
			`format, a modified format used by some patched versions of B<libpcap>,`
			`or the format used by Red Hat Linux 6.1), B<snoop> format, uncompressed`
			`B<Sniffer> format, Microsoft B<Network Monitor> 1.x format, and the`
			`format used by Windows-based versions of the B<Sniffer> software.`

			`A list of packet numbers can be specified on the command line; the`
			`packets with those numbers will I<not> be written to the capture file,`
			`unless the B<-r> flag is specified, in which case I<only> those packets`
			`will be written to the capture file.`

			`If the B<-T> flag, the encapsulation type of the output capture file`
			`will be forced to the specified type, rather than being the type`
Note that the "-T" flag doesn't cause "editcap" to translate link-layer headers, it just causes it to force the encapsulation type of the output file to the specified type. svn path=/trunk/; revision=1702 2000-03-07 23:50:32 +00:00			`appropriate to the encapsulation type of the input capture file. Note`
			`that this merely forces the encapsulation type of the output file to be`
			`the specified type; the packet headers of the packets will not be`
			`translated from the encapsulation type of the input capture file to the`
			`specified encapsulation type (for example, it will not translate an`
			`Ethernet capture to an FDDI capture if an Ethernet capture is read and`
			`'B<-T fddi>' is specified).`
Add a man page for "editcap". svn path=/trunk/; revision=1446 2000-01-09 20:28:26 +00:00
			`=head1 OPTIONS`

			`=over 4`

			`=item -F`

			`Sets the file format of the output capture file.`

			`=item -T`

			`Sets the packet encapsulation type of the output capture file.`

			`=item -r`

			`Causes the packets whose packet numbers are specified on the command`
			`line to be written to the output capture file, and no other packets to`
			`be written to the output capture file.`

			`=item -v`

			`Causes B<editcap> to print a number of messages while it's working.`

			`=item -h`

			`Prints the version and options and exits.`

			`=head1 SEE ALSO`

			`L<tcpdump(8)>, L<pcap(3)>, L<ethereal(1)>`

			`=head1 NOTES`

			`B<Editcap> is part of the B<Ethereal> distribution. The latest version`
			`of B<Ethereal> can be found at B<http://ethereal.zing.org>.`

			`=head1 AUTHORS`

			`Original Author`
			`-------- ------`
			`Richard Sharpe <sharpe@ns.aus.com>`


			`Contributors`
			`------------`
			`Guy Harris <guy@alum.mit.edu>`