Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

editcap - Edit and/or translate the format of capture files

News See also Introduction Reference Options Examples pcap library
ngrep tcpdump Ethereal Snort Snoop Humor Etc

Introduction

editcap [ -c <packets per file> ] [ -C <choplen> ] [ -E <error probability> ] [ -F <file format> ] [ -A <start time> ] [ -B <stop time> ] [ -h ] [ -r ] [ -s <snaplen> ] [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -v ] infile outfile [ packet#[-packet#] ... ]

Editcap is a filter that reads some or all of the captured packets from the infile, optionally converts them in various ways and writes the resulting packets to the capture outfile (or outfiles).

By default, it reads all packets from the infile and writes them to the outfile in libpcap file format.

A list of packet numbers can be specified on the command line; ranges of packet numbers can be specified as start-end, referring to all packets from start to end. The selected packets with those numbers will not be written to the capture file. If the -r flag is specified, the whole packet selection is reversed; in that case only the selected packets will be written to the capture file.

Editcap is able to detect, read and write the same capture files that are supported by Ethereal. The input file doesn't need a specific filename extension, the file format and an optional gzip compression will be automatically detected. The capture file format section of ethereal(1) or http://www.ethereal.com/docs/man-pages/ethereal.1.html provides a detailed description.

Editcap can write the file in several output formats. The -F flag can be used to specify the format in which to write the capture file, editcap -F provides a list of the available output formats.

OPTIONS

-c <packets per file>
Sets the maximum number of packets per output file. Each output file will be created with a suffix -nnnnn, starting with 00000. If the specified number of packets are written to the output file, the next output file is opened. The default is to use a single output file.

-C <choplen>
Sets the chop length to use when writing the packet data. Each packet is chopped at the packet end by a few <choplen> bytes of data.

This is useful in the rare case that the conversion between two file formats leaves some random bytes at the end of each packet.

-E <error probability>
Sets the probabilty that bytes in the output file are randomly changed. Editcap uses that probability (between 0.0 and 1.0 inclusive) to apply errors to each data byte in the file. For instance, a probability of 0.02 means that each byte has a 2% chance of having an error.

This option is meant to be used for fuzz-testing protocol dissectors.

-F <file format>
Sets the file format of the output capture file. Editcap can write the file in several formats, editcap -F provides a list of the available output formats. The default is the libpcap format.

-A <start time>
Saves only the packets whose timestamp is on or after start time. The time is given in the following format YYYY-MM-DD HH:MM:SS

-B <stop time>
Saves only the packets whose timestamp is on or before stop time. The time is given in the following format YYYY-MM-DD HH:MM:SS

-h
Prints the version and options and exits.

-r
Reverse the packet selection. Causes the packets whose packet numbers are specified on the command line to be written to the output capture file, instead of discarding them.

-s <snaplen>
Sets the snapshot length to use when writing the data. If the -s flag is used to specify a snapshot length, packets in the input file with more captured data than the specified snapshot length will have only the amount of data specified by the snapshot length written to the output file.

This may be useful if the program that is to read the output file cannot handle packets larger than a certain size (for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet packets larger than the standard Ethernet MTU, making them incapable of handling gigabit Ethernet captures if jumbo packets were used).

-t <time adjustment>
Sets the time adjustment to use on selected packets. If the -t flag is used to specify a time adjustment, the specified adjustment will be applied to all selected packets in the capture file. The adjustment is specified as [-]seconds[.fractional seconds]. For example, -t 3600 advances the timestamp on selected packets by one hour while -t -0.5 reduces the timestamp on selected packets by one-half second.

This feature is useful when synchronizing dumps collected on different machines where the time difference between the two machines is known or can be estimated.

-T <encapsulation type>
Sets the packet encapsulation type of the output capture file. If the -T flag is used to specify an encapsulation type, the encapsulation type of the output capture file will be forced to the specified type. editcap -T provides a list of the available types. The default type is the one appropriate to the encapsulation type of the input capture file.

Note: this merely forces the encapsulation type of the output file to be the specified type; the packet headers of the packets will not be translated from the encapsulation type of the input capture file to the specified encapsulation type (for example, it will not translate an Ethernet capture to an FDDI capture if an Ethernet capture is read and '-T fddi' is specified).

-v
Causes editcap to print verbose messages while it's working.

Examples

To see more detailed description of the options use:

    editcap -h

To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:

    editcap -s 64 -F snoop capture.pcap shortcapture.snoop

To delete packet 1000 from the capture file use:

    editcap capture.pcap sans1000.pcap 1000

To limit a capture file to packets from number 200 to 750 (inclusive) use:

    editcap -r capture.pcap small.pcap 200-750

To get all packets from number 1-500 (inclusive) use:

    editcap -r capture.pcap 500.pcap 1-500

or

    editcap capture.pcap 500.pcap 501-9999999

To filter out packets 10 to 20 and 30 to 40 into a new file use:

    editcap capture.pcap selection.pcap 10-20 30-40

To introduce 5% random errors in a capture file use:

  editcap -E 0.05 capture.pcap capture_error.pcap


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[fw-wiz] [OT] tcpdump parsing -- editcap

Sloane, David DSloane@vfa.com
Wed Oct 8 14:40:32 2003
editcap is your friend.

It will break up the log file for you in a quick, memory-efficient way.

See http://www.ethereal.com/editcap.1.html

-David

-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Damian
Gerow
Sent: October 08, 2003 2:20 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] [OT] tcpdump parsing


First off, apologies for the off-topic post.  But I have no idea where
to turn for tcpdump help, and I figured most of the folks here have used
it at least moderately, if not extensively.

I've been spending the past week or so trying to track down what seems
to be a trojan that has been affecting our customers, that seems to come
and go. To give myself a little more to work with, I've nabbed 550MB
worth of network traffic from one of their links, spanning a couple of
days.

The problem is, I can't open this up in ethereal.  The file is just too
large.  I've tried trimming the fat down (POP3 sessions, web browsing
sessions, ICMP echo request/reply, certain gaming sites, etc.), but I'm
still sitting here with 500MB of traffic.

Is there a way to take a tcpdump binary file, and pull a date range from
it? The tcpdump man page leads me to believe no, and a fair bit of
Google searching has provided no leads.

I'd also be willing to try various other GUIs that understand tcpdump
output (so long as they run on X).  Yes, I'm fully aware that I can do
this all on the commandline, but I find the GUI a bit easier to work
with in this case.

Any pointers or suggestions are very welcomed at this point.  It's
frustrating to be sitting with the culprit on disk, but not be able to
find out who or what the culprit /is/.
_______________________________________________
firewall-wizards mailing list firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

FuzzTesting - The Wireshark Wiki

editcap can be used to introduce errors into normal capture files

editcap can be used to "fuzz" a capture file using the '-E' flag. For example,

        editcap -E 0.02 infile.pcap fuzzfile.pcap

would read infile.pcap and fuzz its contents, writing them to fuzzfile.pcap. There would be a 2% chance that any given payload byte would be fuzzed. There are four different fuzzing methods, chosen at random:

editcap is built together with Wireshark and is also shipped with the releases.

Reference

editcap - Edit and-or translate the format of capture files

Also at editcap - Edit and/or translate the format of capture files



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D


Copyright © 1996-2020 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March, 12, 2019