2000-01-09 20:28:26 +00:00
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
2001-07-05 21:27:11 +00:00
|
|
|
editcap - Edit and/or translate the format of capture files
|
2000-01-09 20:28:26 +00:00
|
|
|
|
|
|
|
|
=head1 SYNOPSYS
|
|
|
|
|
|
|
|
|
|
B<editcap>
|
2006-01-10 21:39:21 +00:00
|
|
|
S<[ B<-c> E<lt>packets per fileE<gt> ]>
|
|
|
|
|
S<[ B<-C> E<lt>choplenE<gt> ]>
|
|
|
|
|
S<[ B<-E> E<lt>error probabilityE<gt> ]>
|
|
|
|
|
S<[ B<-F> E<lt>file formatE<gt> ]>
|
2005-04-10 23:12:48 +00:00
|
|
|
S<[ B<-h> ]>
|
2000-01-09 20:28:26 +00:00
|
|
|
S<[ B<-r> ]>
|
2006-01-10 21:39:21 +00:00
|
|
|
S<[ B<-s> E<lt>snaplenE<gt> ]>
|
|
|
|
|
S<[ B<-t> E<lt>time adjustmentE<gt> ]>
|
|
|
|
|
S<[ B<-T> E<lt>encapsulation typeE<gt> ]>
|
2005-04-10 23:12:48 +00:00
|
|
|
S<[ B<-v> ]>
|
2000-01-09 20:28:26 +00:00
|
|
|
I<infile>
|
|
|
|
|
I<outfile>
|
2006-01-09 21:22:13 +00:00
|
|
|
S<[ I<packet#>[-I<packet#>] ... ]>
|
2000-01-09 20:28:26 +00:00
|
|
|
|
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
|
|
2006-01-09 21:22:13 +00:00
|
|
|
B<Editcap> is a program that reads some or all of the captured packets from the
|
|
|
|
|
I<infile>, optionally converts them in various ways and writes the
|
|
|
|
|
resulting packets to the capture I<outfile> (or outfiles).
|
2004-04-25 09:02:04 +00:00
|
|
|
|
2006-01-09 21:22:13 +00:00
|
|
|
By default, it reads all packets from the I<infile> and writes them to the I<outfile>
|
|
|
|
|
in libpcap file format.
|
|
|
|
|
|
|
|
|
|
A list of packet numbers can be specified on the command line; ranges of packet numbers can be
|
|
|
|
|
specified as I<start>-I<end>, referring to all packets from I<start> to
|
|
|
|
|
I<end>.
|
|
|
|
|
The selected packets with those numbers will I<not> be written to the capture file.
|
|
|
|
|
If the B<-r> flag is specified, the whole packet selection is reversed; in that case I<only> the selected packets
|
|
|
|
|
will be written to the capture file.
|
|
|
|
|
|
|
|
|
|
The supported input and output capture file formats are described in a section below.
|
|
|
|
|
|
|
|
|
|
=head1 OPTIONS
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -c E<lt>packets per fileE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the maximum number of packets per output file. Each output file will
|
|
|
|
|
be created with a suffix -nnnnn, starting with 00000. If the specified
|
|
|
|
|
number of packets are written to the output file, the next output file is
|
2006-01-10 21:39:21 +00:00
|
|
|
opened. The default is to use a single output file.
|
2006-01-09 21:22:13 +00:00
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -C E<lt>choplenE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the chop length to use when writing the packet data.
|
|
|
|
|
Each packet is chopped at the packet end by a few <choplen> bytes of data.
|
|
|
|
|
|
|
|
|
|
This is useful in the rare case that the conversion between two file
|
|
|
|
|
formats leaves some random bytes at the end of each packet.
|
|
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -E E<lt>error probabilityE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the probabilty that bytes in the output file are randomly changed.
|
|
|
|
|
B<Editcap> uses that probability (between 0.0 and 1.0 inclusive)
|
|
|
|
|
to apply errors to each data byte in the file. For instance, a
|
|
|
|
|
probability of 0.02 means that each byte has a 2% chance of having an error.
|
|
|
|
|
|
|
|
|
|
This option is meant to be used for fuzz-testing protocol dissectors.
|
|
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -F E<lt>file formatE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the file format of the output capture file.
|
2006-01-10 21:39:21 +00:00
|
|
|
B<Editcap> can write the file in several formats, B<editcap -F>
|
|
|
|
|
provides a list of the available output formats. The default
|
|
|
|
|
is the B<libpcap> format.
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
=item -h
|
|
|
|
|
|
|
|
|
|
Prints the version and options and exits.
|
|
|
|
|
|
|
|
|
|
=item -r
|
|
|
|
|
|
|
|
|
|
Reverse the packet selection.
|
|
|
|
|
Causes the packets whose packet numbers are specified on the command
|
|
|
|
|
line to be written to the output capture file, instead of discarding them.
|
|
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -s E<lt>snaplenE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the snapshot length to use when writing the data.
|
|
|
|
|
If the B<-s> flag is used to specify a snapshot length, packets in the
|
|
|
|
|
input file with more captured data than the specified snapshot length
|
|
|
|
|
will have only the amount of data specified by the snapshot length
|
|
|
|
|
written to the output file.
|
|
|
|
|
|
|
|
|
|
This may be useful if the program that is
|
|
|
|
|
to read the output file cannot handle packets larger than a certain size
|
|
|
|
|
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
|
|
|
|
|
appear to reject Ethernet packets larger than the standard Ethernet MTU,
|
|
|
|
|
making them incapable of handling gigabit Ethernet captures if jumbo
|
|
|
|
|
packets were used).
|
|
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -t E<lt>time adjustmentE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the time adjustment to use on selected packets.
|
|
|
|
|
If the B<-t> flag is used to specify a time adjustment, the specified
|
|
|
|
|
adjustment will be applied to all selected packets in the capture file.
|
|
|
|
|
The adjustment is specified as [-]I<seconds>[I<.fractional seconds>].
|
|
|
|
|
For example, B<-t> 3600 advances the timestamp on selected packets by one
|
|
|
|
|
hour while B<-t> -0.5 reduces the timestamp on selected packets by
|
|
|
|
|
one-half second.
|
|
|
|
|
|
|
|
|
|
This feature is useful when synchronizing dumps
|
|
|
|
|
collected on different machines where the time difference between the
|
|
|
|
|
two machines is known or can be estimated.
|
|
|
|
|
|
2006-01-10 21:39:21 +00:00
|
|
|
=item -T E<lt>encapsulation typeE<gt>
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Sets the packet encapsulation type of the output capture file.
|
|
|
|
|
If the B<-T> flag is used to specify an encapsulation type, the
|
|
|
|
|
encapsulation type of the output capture file will be forced to the
|
2006-01-10 21:39:21 +00:00
|
|
|
specified type.
|
|
|
|
|
B<editcap -T> provides a list of the available types. The default
|
|
|
|
|
type is the one appropriate to the encapsulation type of the input
|
|
|
|
|
capture file.
|
2006-01-09 21:22:13 +00:00
|
|
|
|
|
|
|
|
Note: this merely
|
|
|
|
|
forces the encapsulation type of the output file to be the specified
|
|
|
|
|
type; the packet headers of the packets will not be translated from the
|
|
|
|
|
encapsulation type of the input capture file to the specified
|
|
|
|
|
encapsulation type (for example, it will not translate an Ethernet
|
|
|
|
|
capture to an FDDI capture if an Ethernet capture is read and 'B<-T
|
|
|
|
|
fddi>' is specified).
|
|
|
|
|
|
|
|
|
|
=item -v
|
|
|
|
|
|
|
|
|
|
Causes B<editcap> to print verbose messages while it's working.
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 EXAMPLES
|
|
|
|
|
|
|
|
|
|
To see more detailed description of the options use:
|
|
|
|
|
|
|
|
|
|
editcap -h
|
|
|
|
|
|
|
|
|
|
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
|
|
|
|
|
|
|
|
|
|
editcap -s 64 -F snoop capture.pcap shortcapture.snoop
|
|
|
|
|
|
|
|
|
|
To delete packet 1000 from the capture file use:
|
|
|
|
|
|
|
|
|
|
editcap capture.pcap sans1000.pcap 1000
|
|
|
|
|
|
|
|
|
|
To limit a capture file to packets from number 200 to 750 (inclusive) use:
|
|
|
|
|
|
|
|
|
|
editcap -r capture.pcap small.pcap 200-750
|
|
|
|
|
|
|
|
|
|
To get all packets from number 1-500 (inclusive) use:
|
|
|
|
|
|
|
|
|
|
editcap -r capture.pcap 500.pcap 1-500
|
|
|
|
|
|
|
|
|
|
or
|
|
|
|
|
|
|
|
|
|
editcap capture.pcap 500.pcap 501-9999999
|
|
|
|
|
|
|
|
|
|
To filter out packets 10 to 20 and 30 to 40 into a new file use:
|
|
|
|
|
|
|
|
|
|
editcap capture.pcap selection.pcap 10-20 30-40
|
|
|
|
|
|
|
|
|
|
To introduce 5% random errors in a capture file use:
|
|
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
editcap -E 0.05 capture.pcap capture_error.pcap
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
|
|
|
|
=head1 Capture File Formats
|
|
|
|
|
|
|
|
|
|
There is no need to tell B<Editcap> what type of
|
|
|
|
|
file you are reading; it will determine the file type by itself.
|
|
|
|
|
|
|
|
|
|
B<Editcap> is also capable of reading any of these file formats if they
|
|
|
|
|
are compressed using gzip. It recognizes this directly from the
|
|
|
|
|
file; the '.gz' extension is not required for this purpose.
|
|
|
|
|
|
|
|
|
|
The following I<input> file formats are supported:
|
2004-04-25 09:02:04 +00:00
|
|
|
|
|
|
|
|
=over 4
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
libpcap/WinPcap, tcpdump and various other tools using tcpdump's capture format
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
B<snoop> and B<atmsnoop>
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Shomiti/Finisar B<Surveyor> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Novell B<LANalyzer> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Microsoft B<Network Monitor> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
AIX's B<iptrace> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Cinco Networks B<NetXRay> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Network Associates Windows-based B<Sniffer> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Network General/Network Associates DOS-based B<Sniffer> (compressed or uncompressed) captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
AG Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>/B<EtherHelp>/B<PacketGrabber> captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
B<RADCOM>'s WAN/LAN analyzer captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Network Instruments B<Observer> version 9 captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
B<Lucent/Ascend> router debug output
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
files from HP-UX's B<nettl>
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
B<Toshiba's> ISDN routers dump output
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
the output from B<i4btrace> from the ISDN4BSD project
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
traces from the B<EyeSDN> USB S0.
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
the output in B<IPLog> format from the Cisco Secure Intrusion Detection System
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
B<pppd logs> (pppdump format)
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
the output from VMS's B<TCPIPtrace>/B<TCPtrace>/B<UCX$TRACE> utilities
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
the text output from the B<DBS Etherwatch> VMS utility
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Visual Networks' B<Visual UpTime> traffic capture
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
the output from B<CoSine> L2 debug
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
the output from Accellent's B<5Views> LAN agents
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Endace Measurement Systems' ERF format captures
|
|
|
|
|
|
|
|
|
|
=item *
|
|
|
|
|
Linux Bluez Bluetooth stack B<hcidump -w> traces
|
|
|
|
|
|
|
|
|
|
=back
|
|
|
|
|
|
2006-01-09 21:22:13 +00:00
|
|
|
B<Editcap> can write the file in several output formats. The B<-F>
|
2000-01-09 20:28:26 +00:00
|
|
|
flag can be used to specify the format in which to write the capture
|
2006-01-10 21:39:21 +00:00
|
|
|
file, B<editcap -F> provides
|
2006-01-09 21:22:13 +00:00
|
|
|
a list of the available output formats.
|
2005-10-26 21:08:24 +00:00
|
|
|
|
2000-01-09 20:28:26 +00:00
|
|
|
=head1 SEE ALSO
|
|
|
|
|
|
2002-03-26 06:15:08 +00:00
|
|
|
I<tcpdump(8)>, I<pcap(3)>, I<ethereal(1)>, I<mergecap(1)>
|
2000-01-09 20:28:26 +00:00
|
|
|
|
|
|
|
|
=head1 NOTES
|
|
|
|
|
|
|
|
|
|
B<Editcap> is part of the B<Ethereal> distribution. The latest version
|
2000-11-07 19:54:53 +00:00
|
|
|
of B<Ethereal> can be found at B<http://www.ethereal.com>.
|
2000-01-09 20:28:26 +00:00
|
|
|
|
|
|
|
|
=head1 AUTHORS
|
|
|
|
|
|
|
|
|
|
Original Author
|
|
|
|
|
-------- ------
|
2003-03-10 04:27:01 +00:00
|
|
|
Richard Sharpe <sharpe[AT]ns.aus.com>
|
2000-01-09 20:28:26 +00:00
|
|
|
|
|
|
|
|
|
|
|
|
|
Contributors
|
|
|
|
|
------------
|
2003-03-10 04:27:01 +00:00
|
|
|
Guy Harris <guy[AT]alum.mit.edu>
|
2006-01-09 21:22:13 +00:00
|
|
|
Ulf Lamping <ulf.lamping[AT]web.de>
|
