PCAP/PCAPNG: Be consistent in documentation, etc
1) The default build configuration is to select PCAPNG as output format, but it can be selected as PCAP. Some of the command line tools have the option to select the output format and default towards the build configuration. This has to be reflected in their help output also. 2) Various documentation files are still stating that PCAP is the default format of various tools. With the default build configuration being PCAPNG these have to be adjusted as well. (with lack of dynamic content the documentation can only refer to the default build configuration format). Change-Id: I51d19642a7ed8c99817971c1f25d20972095021e Signed-off-by: Jaap Keuter <jaap.keuter@xs4all.nl> Reviewed-on: https://code.wireshark.org/review/30951 Petri-Dish: Anders Broman <a.broman58@gmail.com> Tested-by: Petri Dish Buildbot Reviewed-by: Anders Broman <a.broman58@gmail.com>
This commit is contained in:
parent
0dfa4e8253
commit
a58904f387
|
@ -53,7 +53,7 @@ I<infile>, optionally converts them in various ways and writes the
|
|||
resulting packets to the capture I<outfile> (or outfiles).
|
||||
|
||||
By default, it reads all packets from the I<infile> and writes them to the
|
||||
I<outfile> in pcap file format.
|
||||
I<outfile> in pcapng file format.
|
||||
|
||||
An optional list of packet numbers can be specified on the command tail;
|
||||
individual packet numbers separated by whitespace and/or ranges of packet
|
||||
|
@ -169,7 +169,7 @@ This option is meant to be used for fuzz-testing protocol dissectors.
|
|||
Sets the file format of the output capture file.
|
||||
B<Editcap> can write the file in several formats, B<editcap -F>
|
||||
provides a list of the available output formats. The default
|
||||
is the B<pcap> format.
|
||||
is the B<pcapng> format.
|
||||
|
||||
=item -h
|
||||
|
||||
|
@ -360,73 +360,73 @@ To see more detailed description of the options use:
|
|||
|
||||
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
|
||||
|
||||
editcap -s 64 -F snoop capture.pcap shortcapture.snoop
|
||||
editcap -s 64 -F snoop capture.pcapng shortcapture.snoop
|
||||
|
||||
To delete packet 1000 from the capture file use:
|
||||
|
||||
editcap capture.pcap sans1000.pcap 1000
|
||||
editcap capture.pcapng sans1000.pcapng 1000
|
||||
|
||||
To limit a capture file to packets from number 200 to 750 (inclusive) use:
|
||||
|
||||
editcap -r capture.pcap small.pcap 200-750
|
||||
editcap -r capture.pcapng small.pcapng 200-750
|
||||
|
||||
To get all packets from number 1-500 (inclusive) use:
|
||||
|
||||
editcap -r capture.pcap first500.pcap 1-500
|
||||
editcap -r capture.pcapng first500.pcapng 1-500
|
||||
|
||||
or
|
||||
|
||||
editcap capture.pcap first500.pcap 501-9999999
|
||||
editcap capture.pcapng first500.pcapng 501-9999999
|
||||
|
||||
To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
|
||||
|
||||
editcap capture.pcap exclude.pcap 1 5 10-20 30-40
|
||||
editcap capture.pcapng exclude.pcapng 1 5 10-20 30-40
|
||||
|
||||
To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
|
||||
|
||||
editcap -r capture.pcap select.pcap 1 5 10-20 30-40
|
||||
editcap -r capture.pcapng select.pcapng 1 5 10-20 30-40
|
||||
|
||||
To remove duplicate packets seen within the prior four frames use:
|
||||
|
||||
editcap -d capture.pcap dedup.pcap
|
||||
editcap -d capture.pcapng dedup.pcapng
|
||||
|
||||
To remove duplicate packets seen within the prior four frames while skipping radiotap headers use:
|
||||
|
||||
editcap -d --skip-radiotap-header capture.pcap dedup.pcap
|
||||
editcap -d --skip-radiotap-header capture.pcapng dedup.pcapng
|
||||
|
||||
To remove duplicate packets seen within the prior 100 frames use:
|
||||
|
||||
editcap -D 101 capture.pcap dedup.pcap
|
||||
editcap -D 101 capture.pcapng dedup.pcapng
|
||||
|
||||
To remove duplicate packets seen I<equal to or less than> 1/10th of a second:
|
||||
|
||||
editcap -w 0.1 capture.pcap dedup.pcap
|
||||
editcap -w 0.1 capture.pcapng dedup.pcapng
|
||||
|
||||
To display the MD5 hash for all of the packets (and NOT generate any
|
||||
real output file):
|
||||
|
||||
editcap -v -D 0 capture.pcap /dev/null
|
||||
editcap -v -D 0 capture.pcapng /dev/null
|
||||
|
||||
or on Windows systems
|
||||
|
||||
editcap -v -D 0 capture.pcap NUL
|
||||
editcap -v -D 0 capture.pcapng NUL
|
||||
|
||||
To advance the timestamps of each packet forward by 3.0827 seconds:
|
||||
|
||||
editcap -t 3.0827 capture.pcap adjusted.pcap
|
||||
editcap -t 3.0827 capture.pcapng adjusted.pcapng
|
||||
|
||||
To ensure all timestamps are in strict chronological order:
|
||||
|
||||
editcap -S 0 capture.pcap adjusted.pcap
|
||||
editcap -S 0 capture.pcapng adjusted.pcapng
|
||||
|
||||
To introduce 5% random errors in a capture file use:
|
||||
|
||||
editcap -E 0.05 capture.pcap capture_error.pcap
|
||||
editcap -E 0.05 capture.pcapng capture_error.pcapng
|
||||
|
||||
To remove vlan tags from all packets within an Ethernet-encapsulated capture
|
||||
file, use:
|
||||
|
||||
editcap -L -C 12:4 capture_vlan.pcap capture_no_vlan.pcap
|
||||
editcap -L -C 12:4 capture_vlan.pcapng capture_no_vlan.pcapng
|
||||
|
||||
To chop both the 10 byte and 20 byte regions from the following 75 byte packet
|
||||
in a single pass, use any of the 8 possible methods provided below:
|
||||
|
@ -437,18 +437,18 @@ in a single pass, use any of the 8 possible methods provided below:
|
|||
| 5 | 10 | 15 | 20 | 25 |
|
||||
+---+-------+-----------+---------------+-------------------+
|
||||
|
||||
1) editcap -C 5:10 -C -25:-20 capture.pcap chopped.pcap
|
||||
2) editcap -C 5:10 -C 50:-20 capture.pcap chopped.pcap
|
||||
3) editcap -C -70:10 -C -25:-20 capture.pcap chopped.pcap
|
||||
4) editcap -C -70:10 -C 50:-20 capture.pcap chopped.pcap
|
||||
5) editcap -C 30:20 -C -60:-10 capture.pcap chopped.pcap
|
||||
6) editcap -C 30:20 -C 15:-10 capture.pcap chopped.pcap
|
||||
7) editcap -C -45:20 -C -60:-10 capture.pcap chopped.pcap
|
||||
8) editcap -C -45:20 -C 15:-10 capture.pcap chopped.pcap
|
||||
1) editcap -C 5:10 -C -25:-20 capture.pcapng chopped.pcapng
|
||||
2) editcap -C 5:10 -C 50:-20 capture.pcapng chopped.pcapng
|
||||
3) editcap -C -70:10 -C -25:-20 capture.pcapng chopped.pcapng
|
||||
4) editcap -C -70:10 -C 50:-20 capture.pcapng chopped.pcapng
|
||||
5) editcap -C 30:20 -C -60:-10 capture.pcapng chopped.pcapng
|
||||
6) editcap -C 30:20 -C 15:-10 capture.pcapng chopped.pcapng
|
||||
7) editcap -C -45:20 -C -60:-10 capture.pcapng chopped.pcapng
|
||||
8) editcap -C -45:20 -C 15:-10 capture.pcapng chopped.pcapng
|
||||
|
||||
To add comment strings to the first 2 input frames, use:
|
||||
|
||||
editcap -a "1:1st frame" -a 2:Second capture.pcap capture-comments.pcap
|
||||
editcap -a "1:1st frame" -a 2:Second capture.pcapng capture-comments.pcapng
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
|
|
|
@ -25,11 +25,12 @@ E<lt>I<infile>E<gt> [E<lt>I<infile>E<gt> I<...>]
|
|||
|
||||
B<Mergecap> is a program that combines multiple saved capture files into
|
||||
a single output file specified by the B<-w> argument. B<Mergecap> knows
|
||||
how to read B<pcap> capture files, including those of B<tcpdump>,
|
||||
B<Wireshark>, and other tools that write captures in that format.
|
||||
how to read B<pcap> and B<pcapng> capture files, including those of
|
||||
B<tcpdump>, B<Wireshark> and other tools that write captures in those
|
||||
formats.
|
||||
|
||||
By default, B<Mergecap> writes the capture file in B<pcap> format, and writes
|
||||
all of the packets from the input capture files to the output file.
|
||||
By default, B<Mergecap> writes the capture file in B<pcapng> format, and
|
||||
writes all of the packets from the input capture files to the output file.
|
||||
|
||||
B<Mergecap> is able to detect, read and write the same capture files that
|
||||
are supported by B<Wireshark>.
|
||||
|
@ -77,8 +78,7 @@ file are already in chronological order.
|
|||
|
||||
Sets the file format of the output capture file. B<Mergecap> can write
|
||||
the file in several formats; B<mergecap -F> provides a list of the
|
||||
available output formats. The default is to use the file format of the
|
||||
first input file.
|
||||
available output formats. By default this is the B<pcapng> format.
|
||||
|
||||
=item -h
|
||||
|
||||
|
|
|
@ -36,7 +36,7 @@ E<lt>I<outfile>E<gt>|-
|
|||
=head1 DESCRIPTION
|
||||
|
||||
B<Text2pcap> is a program that reads in an ASCII hex dump and writes the
|
||||
data described into a B<pcap> capture file. B<text2pcap> can
|
||||
data described into a B<pcap> or B<pcapng> capture file. B<text2pcap> can
|
||||
read hexdumps with multiple packets in them, and build a capture file of
|
||||
multiple packets. B<text2pcap> is also capable of generating dummy
|
||||
Ethernet, IP and UDP, TCP, or SCTP headers, in order to build fully
|
||||
|
|
|
@ -79,8 +79,8 @@ B<TShark> is a network protocol analyzer. It lets you capture packet
|
|||
data from a live network, or read packets from a previously saved
|
||||
capture file, either printing a decoded form of those packets to the
|
||||
standard output or writing the packets to a file. B<TShark>'s native
|
||||
capture file format is B<pcap> format, which is also the format used
|
||||
by B<tcpdump> and various other tools.
|
||||
capture file format is B<pcapng> format, which is also the format used
|
||||
by B<wireshark> and various other tools.
|
||||
|
||||
Without any options set, B<TShark> will work much like B<tcpdump>. It
|
||||
will use the pcap library to capture traffic from the first available
|
||||
|
@ -948,8 +948,8 @@ example,
|
|||
|
||||
will save host name resolution records along with captured packets.
|
||||
|
||||
Future versions of Wireshark may automatically change the capture format to
|
||||
B<pcapng> as needed.
|
||||
Future versions of B<Tshark> may automatically change the capture format
|
||||
to B<pcapng> as needed.
|
||||
|
||||
The argument is a string that may contain the following letter:
|
||||
|
||||
|
|
|
@ -215,7 +215,7 @@ There may be some occasions when you wish to convert a hex dump of some network
|
|||
traffic into a libpcap file.
|
||||
|
||||
`text2pcap` is a program that reads in an ASCII hex dump and writes the data
|
||||
described into a libpcap-style capture file. text2pcap can read hexdumps with
|
||||
described into a pcap or pcapng capture file. `text2pcap` can read hexdumps with
|
||||
multiple packets in them, and build a capture file of multiple packets.
|
||||
`text2pcap` is also capable of generating dummy Ethernet, IP, UDP, TCP or SCTP
|
||||
headers, in order to build fully processable packet dumps from hexdumps of
|
||||
|
@ -253,7 +253,7 @@ capture with multiple packets. Packets may be preceded by a timestamp. These
|
|||
are interpreted according to the format given on the command line. If not, the
|
||||
first packet is timestamped with the current time the conversion takes place.
|
||||
Multiple packets are written with timestamps differing by one microsecond each.
|
||||
In general, short of these restrictions, text2pcap
|
||||
In general, short of these restrictions, `text2pcap`
|
||||
is pretty liberal about reading in hexdumps and has been tested with a variety
|
||||
of mangled outputs (including being forwarded through email multiple times, with
|
||||
limited line wrap etc.)
|
||||
|
|
|
@ -827,8 +827,12 @@ print_usage(FILE *output)
|
|||
fprintf(output, " -i <seconds per file> split the packet output to different files based on\n");
|
||||
fprintf(output, " uniform time intervals with a maximum of\n");
|
||||
fprintf(output, " <seconds per file> each.\n");
|
||||
fprintf(output, " -F <capture type> set the output file type; default is pcapng. An empty\n");
|
||||
fprintf(output, " \"-F\" option will list the file types.\n");
|
||||
#ifdef PCAP_NG_DEFAULT
|
||||
fprintf(output, " -F <capture type> set the output file type; default is pcapng.\n");
|
||||
#else
|
||||
fprintf(output, " -F <capture type> set the output file type; default is pcap.\n");
|
||||
#endif
|
||||
fprintf(output, " An empty \"-F\" option will list the file types.\n");
|
||||
fprintf(output, " -T <encap type> set the output file encapsulation type; default is the\n");
|
||||
fprintf(output, " same as the input file. An empty \"-T\" option will\n");
|
||||
fprintf(output, " list the encapsulation types.\n");
|
||||
|
|
|
@ -67,7 +67,11 @@ print_usage(FILE *output)
|
|||
fprintf(output, " default is to merge based on frame timestamps.\n");
|
||||
fprintf(output, " -s <snaplen> truncate packets to <snaplen> bytes of data.\n");
|
||||
fprintf(output, " -w <outfile>|- set the output filename to <outfile> or '-' for stdout.\n");
|
||||
#ifdef PCAP_NG_DEFAULT
|
||||
fprintf(output, " -F <capture type> set the output file type; default is pcapng.\n");
|
||||
#else
|
||||
fprintf(output, " -F <capture type> set the output file type; default is pcap.\n");
|
||||
#endif
|
||||
fprintf(output, " an empty \"-F\" option will list the file types.\n");
|
||||
fprintf(output, " -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.\n");
|
||||
fprintf(output, " an empty \"-I\" option will list the merge modes.\n");
|
||||
|
@ -242,9 +246,9 @@ real_main(int argc, char *argv[])
|
|||
int in_file_count = 0;
|
||||
guint32 snaplen = 0;
|
||||
#ifdef PCAP_NG_DEFAULT
|
||||
int file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG; /* default to pcap format */
|
||||
int file_type = WTAP_FILE_TYPE_SUBTYPE_PCAPNG; /* default to pcapng format */
|
||||
#else
|
||||
int file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP; /* default to pcapng format */
|
||||
int file_type = WTAP_FILE_TYPE_SUBTYPE_PCAP; /* default to pcap format */
|
||||
#endif
|
||||
int err = 0;
|
||||
gchar *err_info = NULL;
|
||||
|
|
8
tshark.c
8
tshark.c
|
@ -386,10 +386,18 @@ print_usage(FILE *output)
|
|||
|
||||
/*fprintf(output, "\n");*/
|
||||
fprintf(output, "Output:\n");
|
||||
#ifdef PCAP_NG_DEFAULT
|
||||
fprintf(output, " -w <outfile|-> write packets to a pcapng-format file named \"outfile\"\n");
|
||||
#else
|
||||
fprintf(output, " -w <outfile|-> write packets to a pcap-format file named \"outfile\"\n");
|
||||
#endif
|
||||
fprintf(output, " (or to the standard output for \"-\")\n");
|
||||
fprintf(output, " -C <config profile> start with specified configuration profile\n");
|
||||
#ifdef PCAP_NG_DEFAULT
|
||||
fprintf(output, " -F <output file type> set the output file type, default is pcapng\n");
|
||||
#else
|
||||
fprintf(output, " -F <output file type> set the output file type, default is pcap\n");
|
||||
#endif
|
||||
fprintf(output, " an empty \"-F\" option will list the file types\n");
|
||||
fprintf(output, " -V add output of packet tree (Packet Details)\n");
|
||||
fprintf(output, " -O <protocols> Only show packet details of these protocols, comma\n");
|
||||
|
|
Loading…
Reference in New Issue