50766c96ad
svn path=/trunk/; revision=7700
150 lines
5.6 KiB
Text
150 lines
5.6 KiB
Text
|
|
=head1 NAME
|
|
|
|
editcap - Edit and/or translate the format of capture files
|
|
|
|
=head1 SYNOPSYS
|
|
|
|
B<editcap>
|
|
S<[ B<-F> file format ]>
|
|
S<[ B<-T> encapsulation type ]>
|
|
S<[ B<-r> ]>
|
|
S<[ B<-v> ]>
|
|
S<[ B<-s> snaplen ]>
|
|
S<[ B<-t> time adjustment ]>
|
|
S<[ B<-h> ]>
|
|
I<infile>
|
|
I<outfile>
|
|
S<[ I<record#> ... ]>
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
B<Editcap> is a program that reads a saved capture file and writes some
|
|
or all of the packets in that capture file to another capture file.
|
|
B<Editcap> knows how to read B<libpcap> capture files, including those
|
|
of B<tcpdump>, B<Ethereal>, and other tools that write captures in that
|
|
format. In addition, B<Editcap> can read capture files from B<snoop>
|
|
and B<atmsnoop>, Shomiti/Finisar B<Surveyor>, Novell B<LANalyzer>,
|
|
Network General/Network Associates DOS-based B<Sniffer> (compressed or
|
|
uncompressed), Microsoft B<Network Monitor>, AIX's B<iptrace>, Cinco
|
|
Networks B<NetXRay>, Network Associates Windows-based B<Sniffer>, AG
|
|
Group/WildPackets B<EtherPeek>/B<TokenPeek>/B<AiroPeek>, B<RADCOM>'s
|
|
WAN/LAN analyzer, B<Lucent/Ascend> router debug output, HP-UX's
|
|
B<nettl>, the dump output from B<Toshiba's> ISDN routers, the output
|
|
from B<i4btrace> from the ISDN4BSD project, the output in B<IPLog>
|
|
format from the Cisco Secure Intrusion Detection System, B<pppd logs>
|
|
(pppdump format), the output from VMS's
|
|
B<TCPIPtrace>/B<TCPtrace>B<UCX$TRACE> utilities, the text output from
|
|
the B<DBS Etherwatch> VMS utility, traffic capture files from Visual
|
|
Networks' Visual UpTime and the output from B<CoSine> L2 debug. There
|
|
is no need to tell B<Editcap> what type of file you are reading; it will
|
|
determine the file type by itself. B<Editcap> is also capable of
|
|
reading any of these file formats if they are compressed using gzip.
|
|
B<Editcap> recognizes this directly from the file; the '.gz' extension
|
|
is not required for this purpose.
|
|
|
|
By default, it writes the capture file in B<libpcap> format, and writes
|
|
all of the packets in the capture file to the output file. The B<-F>
|
|
flag can be used to specify the format in which to write the capture
|
|
file; it can write the file in B<libpcap> format (standard B<libpcap>
|
|
format, a modified format used by some patched versions of B<libpcap>,
|
|
the format used by Red Hat Linux 6.1, or the format used by SuSE Linux
|
|
6.3), B<snoop> format, uncompressed B<Sniffer> format, Microsoft
|
|
B<Network Monitor> 1.x format, the format used by Windows-based versions
|
|
of the B<Sniffer> software, and the format used by Visual Networks'
|
|
software.
|
|
|
|
A list of packet numbers can be specified on the command line; the
|
|
packets with those numbers will I<not> be written to the capture file,
|
|
unless the B<-r> flag is specified, in which case I<only> those packets
|
|
will be written to the capture file. Ranges of packet numbers can be
|
|
specified as I<start>-I<end>, referring to all packets from I<start> to
|
|
I<end> (removing them all if B<-r> isn't specified, including them all
|
|
if B<-r> is specified).
|
|
|
|
If the B<-s> flag is used to specify a snapshot length, frames in the
|
|
input file with more captured data than the specified snapshot length
|
|
will have only the amount of data specified by the snapshot length
|
|
written to the output file. This may be useful if the program that is
|
|
to read the output file cannot handle packets larger than a certain size
|
|
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
|
|
appear to reject Ethernet frames larger than the standard Ethernet MTU,
|
|
making them incapable of handling gigabit Ethernet captures if jumbo
|
|
frames were used).
|
|
|
|
If the B<-t> flag is used to specify a time adjustment, the specified
|
|
adjustment will be applied to all selected frames in the capture file.
|
|
The adjustment is specified as [-]I<seconds>[I<.fractional seconds>].
|
|
For example, B<-t> 3600 advances the timestamp on selected frames by one
|
|
hour while B<-t> -0.5 reduces the timestamp on selected frames by
|
|
one-half second. This feature is useful when synchronizing dumps
|
|
collected on different machines where the time difference between the
|
|
two machines is known or can be estimated.
|
|
|
|
If the B<-T> flag is used to specify an encapsulation type, the
|
|
encapsulation type of the output capture file will be forced to the
|
|
specified type, rather than being the type appropriate to the
|
|
encapsulation type of the input capture file. Note that this merely
|
|
forces the encapsulation type of the output file to be the specified
|
|
type; the packet headers of the packets will not be translated from the
|
|
encapsulation type of the input capture file to the specified
|
|
encapsulation type (for example, it will not translate an Ethernet
|
|
capture to an FDDI capture if an Ethernet capture is read and 'B<-T
|
|
fddi>' is specified).
|
|
|
|
=head1 OPTIONS
|
|
|
|
=over 4
|
|
|
|
=item -F
|
|
|
|
Sets the file format of the output capture file.
|
|
|
|
=item -T
|
|
|
|
Sets the packet encapsulation type of the output capture file.
|
|
|
|
=item -r
|
|
|
|
Causes the packets whose packet numbers are specified on the command
|
|
line to be written to the output capture file, and no other packets to
|
|
be written to the output capture file.
|
|
|
|
=item -v
|
|
|
|
Causes B<editcap> to print a number of messages while it's working.
|
|
|
|
=item -s
|
|
|
|
Sets the snapshot length to use when writing the data.
|
|
|
|
=item -t
|
|
|
|
Sets the time adjustment to use on selected frames.
|
|
|
|
=item -h
|
|
|
|
Prints the version and options and exits.
|
|
|
|
=back
|
|
|
|
=head1 SEE ALSO
|
|
|
|
I<tcpdump(8)>, I<pcap(3)>, I<ethereal(1)>, I<mergecap(1)>
|
|
|
|
=head1 NOTES
|
|
|
|
B<Editcap> is part of the B<Ethereal> distribution. The latest version
|
|
of B<Ethereal> can be found at B<http://www.ethereal.com>.
|
|
|
|
=head1 AUTHORS
|
|
|
|
Original Author
|
|
-------- ------
|
|
Richard Sharpe <sharpe[AT]ns.aus.com>
|
|
|
|
|
|
Contributors
|
|
------------
|
|
Guy Harris <guy[AT]alum.mit.edu>
|