seguridad/2.- Ejercicios/reto_seguridad/capturas/WiresharkPortable64/App/Wireshark/editcap.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.17">
<title>editcap(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>editcap(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>editcap - Edit and/or translate the format of capture files</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>editcap</strong></span>
<span class="nowrap">[ <strong>-a</strong> &lt;frame:comment&gt; ]</span>
<span class="nowrap">[ <strong>-A</strong> &lt;start time&gt; ]</span>
<span class="nowrap">[ <strong>-B</strong> &lt;stop time&gt; ]</span>
<span class="nowrap">[ <strong>-c</strong> &lt;packets per file&gt; ]</span>
<span class="nowrap">[ <strong>-C</strong> [offset:]&lt;choplen&gt; ]</span>
<span class="nowrap">[ <strong>-E</strong> &lt;error probability&gt; ]</span>
<span class="nowrap">[ <strong>-F</strong> &lt;file format&gt; ]</span>
<span class="nowrap">[ <strong>-i</strong> &lt;seconds per file&gt; ]</span>
<span class="nowrap">[ <strong>-o</strong> &lt;change offset&gt; ]</span>
<span class="nowrap">[ <strong>-L</strong> ]</span>
<span class="nowrap">[ <strong>-r</strong> ]</span>
<span class="nowrap">[ <strong>-s</strong> &lt;snaplen&gt; ]</span>
<span class="nowrap">[ <strong>-S</strong> &lt;strict time adjustment&gt; ]</span>
<span class="nowrap">[ <strong>-t</strong> &lt;time adjustment&gt; ]</span>
<span class="nowrap">[ <strong>-T</strong> &lt;encapsulation type&gt; ]</span>
<span class="nowrap">[ <strong>-V</strong> ]</span>
<span class="nowrap">[ <strong>--inject-secrets</strong> &lt;secrets type&gt;,&lt;file&gt; ]</span>
<span class="nowrap">[ <strong>--discard-all-secrets</strong> ]</span>
<span class="nowrap">[ <strong>--capture-comment</strong> &lt;comment&gt; ]</span>
<span class="nowrap">[ <strong>--discard-capture-comment</strong> ]</span>
<span class="nowrap"><em>infile</em></span>
<span class="nowrap"><em>outfile</em></span>
<span class="nowrap">[ <em>packet#</em>[-<em>packet#</em>] &#8230;&#8203; ]</span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>editcap</strong></span>
<span class="nowrap"><strong>-d</strong></span>
<span class="nowrap"><strong>-D</strong> &lt;dup window&gt;</span>
<span class="nowrap"><strong>-w</strong> &lt;dup time window&gt;</span>
<span class="nowrap">[ <strong>-V</strong> ]</span>
<span class="nowrap">[ <strong>-I</strong> &lt;bytes to ignore&gt; ]</span>
<span class="nowrap">[ <strong>--skip-radiotap-header</strong> ]</span>
<span class="nowrap"><em>infile</em></span>
<span class="nowrap"><em>outfile</em></span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>editcap</strong></span>
<span class="nowrap"><strong>-h|--help</strong></span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>editcap</strong></span>
<span class="nowrap"><strong>-v|--version</strong></span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Editcap</strong> is a program that reads some or all of the captured packets from the
<em>infile</em>, optionally converts them in various ways and writes the
resulting packets to the capture <em>outfile</em> (or outfiles).</p>
</div>
<div class="paragraph">
<p>By default, it reads all packets from the <em>infile</em> and writes them to the
<em>outfile</em> in pcapng file format.  Use '-' for <em>infile</em> or <em>outfile</em>
to read from standard input or write to standard output, respectively.</p>
</div>
<div class="paragraph">
<p>The <strong>-A</strong> and <strong>-B</strong> option allow you to limit the time range from which packets
are read from the <em>infile</em>.</p>
</div>
<div class="paragraph">
<p>An optional list of packet numbers can be specified on the command tail;
individual packet numbers separated by whitespace and/or ranges of packet
numbers can be specified as <em>start</em>-<em>end</em>, referring to all packets from
<em>start</em> to <em>end</em>.  By default the selected packets with those numbers will
<em>not</em> be written to the capture file.  If the <strong>-r</strong> flag is specified, the
whole packet selection is reversed; in that case <em>only</em> the selected packets
will be written to the capture file.</p>
</div>
<div class="paragraph">
<p><strong>Editcap</strong> can also be used to remove duplicate packets.  Several different
options (<strong>-d</strong>, <strong>-D</strong> and <strong>-w</strong>) are used to control the packet window
or relative time window to be used for duplicate comparison.</p>
</div>
<div class="paragraph">
<p><strong>Editcap</strong> can be used to assign comment strings to frame numbers.</p>
</div>
<div class="paragraph">
<p><strong>Editcap</strong> is able to detect, read and write the same capture files that
are supported by <strong>Wireshark</strong>.
The input file doesn&#8217;t need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of <a href="wireshark.html">wireshark</a>(1) or
<a href="https://www.wireshark.org/docs/man-pages/wireshark.html" class="bare">https://www.wireshark.org/docs/man-pages/wireshark.html</a>
is a detailed description of the way <strong>Wireshark</strong> handles this, which is
the same way <strong>Editcap</strong> handles this.</p>
</div>
<div class="paragraph">
<p><strong>Editcap</strong> can write the file in several output formats. The <strong>-F</strong>
flag can be used to specify the format in which to write the capture
file; <strong>editcap -F</strong> provides a list of the available output formats.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">-a  &lt;framenum:comment&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>For the specified frame number, assign the given comment string.
Can be repeated for multiple frames.  Quotes should be used with comment
strings that include spaces.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-A  &lt;start time&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Reads only the packets whose timestamp is on or after start time.
The time is given in ISO 8601 format, either
YYYY-MM-DD HH:MM:SS[.nnnnnnnnn][Z|±hh:mm] or
YYYY-MM-DDTHH:MM:SS[.nnnnnnnnn][Z|±hh:mm] .
The fractional seconds are optional, as is the time zone offset from UTC
(in which case local time is assumed). Unix epoch timestamps
(floating point format) are also accepted.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-B  &lt;stop time&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Reads only the packets whose timestamp is before stop time.
The time is given in ISO 8601 format, either
YYYY-MM-DD HH:MM:SS[.nnnnnnnnn][Z|±hh:mm] or
YYYY-MM-DDTHH:MM:SS[.nnnnnnnnn][Z|±hh:mm] .
The fractional seconds are optional, as is the time zone offset from UTC
(in which case local time is assumed). Unix epoch timestamps
(floating point format) are also accepted.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-c  &lt;packets per file&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Splits the packet output to different files based on uniform packet counts
with a maximum of &lt;packets per file&gt; each.</p>
</div>
<div class="paragraph">
<p>Each output file will be created with an infix _nnnnn[_YYYYmmddHHMMSS] inserted
before the file extension (which may be null) of <em>outfile</em>.  The infix
consists of the ordinal number of the output file, starting with 00000,
followed by the timestamp of its first packet.  The timestamp is omitted if
the input file does not contain timestamp information.</p>
</div>
<div class="paragraph">
<p>After the specified number of packets is written to the output file, the next
output file is opened.  The default is to use a single output file.
This option conflicts with <strong>-i</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-C  [offset:]&lt;choplen&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the chop length to use when writing the packet data. Each packet is
chopped by &lt;choplen&gt; bytes of data. Positive values chop at the packet
beginning while negative values chop at the packet end.</p>
</div>
<div class="paragraph">
<p>If an optional offset precedes the &lt;choplen&gt;, then the bytes chopped will be
offset from that value. Positive offsets are from the packet beginning, while
negative offsets are from the packet end.</p>
</div>
<div class="paragraph">
<p>This is useful for chopping headers for decapsulation of an entire capture,
removing tunneling headers, or in the rare case that the conversion between two
file formats leaves some random bytes at the end of each packet. Another use is
for removing vlan tags.</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
This option can be used more than once, effectively allowing you to chop
bytes from up to two different areas of a packet in a single pass provided that
you specify at least one chop length as a positive value and at least one as a
negative value.  All positive chop lengths are added together as are all
negative chop lengths.
</td>
</tr>
</table>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-d</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Attempts to remove duplicate packets.  The length and MD5 hash of the
current packet are compared to the previous four (4) packets.  If a
match is found, the current packet is skipped.  This option is equivalent
to using the option <strong>-D 5</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-D  &lt;dup window&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Attempts to remove duplicate packets.  The length and MD5 hash of the
current packet are compared to the previous &lt;dup window&gt; - 1 packets.
If a match is found, the current packet is skipped.</p>
</div>
<div class="paragraph">
<p>The use of the option <strong>-D 0</strong> combined with the <strong>-V</strong> option is useful
in that each packet&#8217;s Packet number, Len and MD5 Hash will be printed
to standard error.  This verbose output (specifically the MD5 hash strings)
can be useful in scripts to identify duplicate packets across trace
files.</p>
</div>
<div class="paragraph">
<p>The &lt;dup window&gt; is specified as an integer value between 0 and 1000000 (inclusive).</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Specifying large &lt;dup window&gt; values with large tracefiles can
result in very long processing times for <strong>editcap</strong>.
</td>
</tr>
</table>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-E  &lt;error probability&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the probability that bytes in the output file are randomly changed.
<strong>Editcap</strong> uses that probability (between 0.0 and 1.0 inclusive)
to apply errors to each data byte in the file.  For instance, a
probability of 0.02 means that each byte has a 2% chance of having an error.</p>
</div>
<div class="paragraph">
<p>This option is meant to be used for fuzz-testing protocol dissectors.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-F  &lt;file format&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the file format of the output capture file.
<strong>Editcap</strong> can write the file in several formats, <strong>editcap -F</strong>
provides a list of the available output formats. The default
is the <strong>pcapng</strong> format.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-h|--help</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Prints the version and options and exits.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-i  &lt;seconds per file&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Splits the packet output to different files based on uniform time
intervals using a maximum interval of &lt;seconds per file&gt; each.  Floating
point values (e.g. 0.5) are allowed.</p>
</div>
<div class="paragraph">
<p>Each output file will be created with an infix _nnnnn[_YYYYmmddHHMMSS] inserted
before the file extension (which may be null) of <em>outfile</em>.  The infix
consists of the ordinal number of the output file, starting with 00000,
followed by the timestamp of its first packet.  The timestamp is omitted if
the input file does not contain timestamp information.</p>
</div>
<div class="paragraph">
<p>After packets for the specified time interval are written to the output file,
the next output file is opened.  The default is to use a single output file.
This option conflicts with <strong>-c</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-I  &lt;bytes to ignore&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Ignore the specified number of bytes at the beginning of the frame during MD5 hash calculation,
unless the frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on several routers (different mac addresses for example)
e.g. -I 26 in case of Ether/IP will ignore ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
The default value is 0.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-L</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Adjust the original frame length accordingly when chopping and/or snapping
(in addition to the captured length, which is always adjusted regardless of
whether <strong>-L</strong> is specified or not).  See also <strong>-C &lt;choplen</strong>&gt; and <strong>-s &lt;snaplen</strong>&gt;.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-o  &lt;change offset&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>When used in conjunction with -E, skip some bytes from the beginning of the packet
from being changed. In this way some headers don&#8217;t get changed, and the fuzzer is
more focused on a smaller part of the packet. Keeping a part of the packet fixed
the same dissector is triggered, that make the fuzzing more precise.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-r</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Reverse the packet selection.
Causes the packets whose packet numbers are specified on the command
line to be written to the output capture file, instead of discarding them.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-s  &lt;snaplen&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the snapshot length to use when writing the data.
If the <strong>-s</strong> flag is used to specify a snapshot length, packets in the
input file with more captured data than the specified snapshot length
will have only the amount of data specified by the snapshot length
written to the output file.</p>
</div>
<div class="paragraph">
<p>This may be useful if the program that is
to read the output file cannot handle packets larger than a certain size
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
appear to reject Ethernet packets larger than the standard Ethernet MTU,
making them incapable of handling gigabit Ethernet captures if jumbo
packets were used).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--seed  &lt;seed&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>When used in conjunction with -E, set the seed for the pseudo-random number generator.
This is useful for recreating a particular sequence of errors.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--skip-radiotap-header</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Skip the radiotap header of each frame when checking for packet duplicates. This is useful
when processing a capture created by combining outputs of multiple capture devices on the same
channel in the vicinity of each other.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-S  &lt;strict time adjustment&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Time adjust selected packets to ensure strict chronological order.</p>
</div>
<div class="paragraph">
<p>The &lt;strict time adjustment&gt; value represents relative seconds
specified as <em class="-">seconds</em>[<em>.fractional seconds</em>].</p>
</div>
<div class="paragraph">
<p>As the capture file is processed each packet&#8217;s absolute time is
<em>possibly</em> adjusted to be equal to or greater than the previous
packet&#8217;s absolute timestamp depending on the &lt;strict time
adjustment&gt; value.</p>
</div>
<div class="paragraph">
<p>If &lt;strict time adjustment&gt; value is 0 or greater (e.g. 0.000001)
then <strong>only</strong> packets with a timestamp less than the previous packet
will adjusted.  The adjusted timestamp value will be set to be
equal to the timestamp value of the previous packet plus the value
of the &lt;strict time adjustment&gt; value.  A &lt;strict time adjustment&gt;
value of 0 will adjust the minimum number of timestamp values
necessary to ensure that the resulting capture file is in
strict chronological order.</p>
</div>
<div class="paragraph">
<p>If &lt;strict time adjustment&gt; value is specified as a
negative value, then the timestamp values of <strong>all</strong>
packets will be adjusted to be equal to the timestamp value
of the previous packet plus the absolute value of the
&lt;strict time adjustment&gt; value. A &lt;strict time
adjustment&gt; value of -0 will result in all packets
having the timestamp value of the first packet.</p>
</div>
<div class="paragraph">
<p>This feature is useful when the trace file has an occasional
packet with a negative delta time relative to the previous
packet.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-t  &lt;time adjustment&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the time adjustment to use on selected packets.
If the <strong>-t</strong> flag is used to specify a time adjustment, the specified
adjustment will be applied to all selected packets in the capture file.
The adjustment is specified as <em class="-">seconds</em>[<em>.fractional seconds</em>].
For example, <strong>-t</strong> 3600 advances the timestamp on selected packets by one
hour while <strong>-t</strong> -0.5 reduces the timestamp on selected packets by
one-half second.</p>
</div>
<div class="paragraph">
<p>This feature is useful when synchronizing dumps
collected on different machines where the time difference between the
two machines is known or can be estimated.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-T  &lt;encapsulation type&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the packet encapsulation type of the output capture file.
If the <strong>-T</strong> flag is used to specify an encapsulation type, the
encapsulation type of the output capture file will be forced to the
specified type.
<strong>editcap -T</strong> provides a list of the available types. The default
type is the one appropriate to the encapsulation type of the input
capture file.</p>
</div>
<div class="paragraph">
<p>Note: this merely
forces the encapsulation type of the output file to be the specified
type; the packet headers of the packets will not be translated from the
encapsulation type of the input capture file to the specified
encapsulation type (for example, it will not translate an Ethernet
capture to an FDDI capture if an Ethernet capture is read and '<strong>-T
 fddi</strong>' is specified). If you need to remove/add headers from/to a
packet, you will need od(1)/<a href="text2pcap.html">text2pcap</a>(1).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-v|--version</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print the version and exit.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-V</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Causes <strong>editcap</strong> to print verbose messages while it&#8217;s working.</p>
</div>
<div class="paragraph">
<p>Use of <strong>-V</strong> with the de-duplication switches of <strong>-d</strong>, <strong>-D</strong> or <strong>-w</strong>
will cause all MD5 hashes to be printed whether the packet is skipped
or not.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-w  &lt;dup time window&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Attempts to remove duplicate packets.  The current packet&#8217;s arrival time
is compared with up to 1000000 previous packets.  If the packet&#8217;s relative
arrival time is <em>less than or equal to</em> the &lt;dup time window&gt; of a previous packet
and the packet length and MD5 hash of the current packet are the same then
the packet to skipped.  The duplicate comparison test stops when
the current packet&#8217;s relative arrival time is greater than &lt;dup time window&gt;.</p>
</div>
<div class="paragraph">
<p>The &lt;dup time window&gt; is specified as <em>seconds</em>[<em>.fractional seconds</em>].</p>
</div>
<div class="paragraph">
<p>The [.fractional seconds] component can be specified to nine (9) decimal
places (billionths of a second) but most typical trace files have resolution
to six (6) decimal places (millionths of a second).</p>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
Specifying large &lt;dup time window&gt; values with large tracefiles can
result in very long processing times for <strong>editcap</strong>.
</td>
</tr>
</table>
</div>
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<div class="title">Note</div>
</td>
<td class="content">
The <strong>-w</strong> option assumes that the packets are in chronological order.
If the packets are NOT in chronological order then the <strong>-w</strong> duplication
removal option may not identify some duplicates.
</td>
</tr>
</table>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--inject-secrets &lt;secrets type&gt;,&lt;file&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Inserts the contents of &lt;file&gt; into a Decryption Secrets Block (DSB)
within the pcapng output file. This enables decryption without requiring
additional configuration in protocol preferences.</p>
</div>
<div class="paragraph">
<p>The file format is described by &lt;secrets type&gt; which can be one of:</p>
</div>
<div class="paragraph">
<p><em>tls</em>  TLS Key Log as described at <a href="https://developer.mozilla.org/NSS_Key_Log_Format" class="bare">https://developer.mozilla.org/NSS_Key_Log_Format</a>
<em>wg</em>   WireGuard Key Log, see <a href="https://gitlab.com/wireshark/wireshark/-/wikis/WireGuard#key-log-format" class="bare">https://gitlab.com/wireshark/wireshark/-/wikis/WireGuard#key-log-format</a></p>
</div>
<div class="paragraph">
<p>This option may be specified multiple times. The available options for
&lt;secrets type&gt; can be listed with <strong>--inject-secrets help</strong>.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--discard-all-secrets</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Discard all decryption secrets from the input file when writing the
output file.  Does not discard secrets added by <strong>--inject-secrets</strong> in
the same command line.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--capture-comment &lt;comment&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Adds the given comment to the output file, if supported by the output
file format.  New comments will be added <em>after</em> any comments present
in the input file unless <strong>--discard-capture-comment</strong> is also specified.</p>
</div>
<div class="paragraph">
<p>This option may be specified multiple times.  Note that Wireshark
currently only displays the first comment of a capture file.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">--discard-capture-comment</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Discard all capture file comments from the input file when writing the output
file. Does not discard comments added by <strong>--capture-comment</strong> in the same
command line.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_diagnostic_options">DIAGNOSTIC OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--log-level &lt;level&gt;</dt>
<dd>
<p>Set the active log level.
Supported levels in lowest to highest order are "noisy", "debug", "info", "message", "warning", "critical", and "error".
Messages at each level and higher will be printed, for example "warning" prints "warning", "critical", and "error" messages and "noisy" prints all messages.
Levels are case insensitive.</p>
</dd>
<dt class="hdlist1">--log-fatal &lt;level&gt;</dt>
<dd>
<p>Abort the program if any messages are logged at the specified level or higher.
For example, "warning" aborts on any "warning", "critical", or "error" messages.</p>
</dd>
</dl>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">--log-domains &lt;list&gt;</dt>
<dd>
<p>Only print messages for the specified log domains, e.g. "GUI,Epan,sshdump".
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-debug &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "debug" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-noisy &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "noisy" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-file &lt;path&gt;</dt>
<dd>
<p>Write log messages and stderr output to the specified file.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_examples">EXAMPLES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To see more detailed description of the options use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -h</pre>
</div>
</div>
<div class="paragraph">
<p>To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -s 64 -F snoop capture.pcapng shortcapture.snoop</pre>
</div>
</div>
<div class="paragraph">
<p>To delete packet 1000 from the capture file use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap capture.pcapng sans1000.pcapng 1000</pre>
</div>
</div>
<div class="paragraph">
<p>To limit a capture file to packets from number 200 to 750 (inclusive) use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -r capture.pcapng small.pcapng 200-750</pre>
</div>
</div>
<div class="paragraph">
<p>To get all packets from number 1-500 (inclusive) use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -r capture.pcapng first500.pcapng 1-500</pre>
</div>
</div>
<div class="paragraph">
<p>or</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap capture.pcapng first500.pcapng 501-9999999</pre>
</div>
</div>
<div class="paragraph">
<p>To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap capture.pcapng exclude.pcapng 1 5 10-20 30-40</pre>
</div>
</div>
<div class="paragraph">
<p>To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -r capture.pcapng select.pcapng 1 5 10-20 30-40</pre>
</div>
</div>
<div class="paragraph">
<p>To remove duplicate packets seen within the prior four frames use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -d capture.pcapng dedup.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To remove duplicate packets seen within the prior four frames while skipping radiotap headers use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -d --skip-radiotap-header capture.pcapng dedup.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To remove duplicate packets seen within the prior 100 frames use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -D 101 capture.pcapng dedup.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To remove duplicate packets seen <em>equal to or less than</em> 1/10th of a second:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -w 0.1 capture.pcapng dedup.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To display the MD5 hash for all of the packets (and NOT generate any
real output file):</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -V -D 0 capture.pcapng /dev/null</pre>
</div>
</div>
<div class="paragraph">
<p>or on Windows systems</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -V -D 0 capture.pcapng NUL</pre>
</div>
</div>
<div class="paragraph">
<p>To advance the timestamps of each packet forward by 3.0827 seconds:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -t 3.0827 capture.pcapng adjusted.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To ensure all timestamps are in strict chronological order:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -S 0 capture.pcapng adjusted.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To introduce 5% random errors in a capture file use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -E 0.05 capture.pcapng capture_error.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To remove vlan tags from all packets within an Ethernet-encapsulated capture
file, use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -L -C 12:4 capture_vlan.pcapng capture_no_vlan.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To chop both the 10 byte and 20 byte regions from the following 75 byte packet
in a single pass, use any of the 8 possible methods provided below:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>&lt;--------------------------- 75 ----------------------------&gt;</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>+---+-------+-----------+---------------+-------------------+
| 5 |   10  |     15    |       20      |         25        |
+---+-------+-----------+---------------+-------------------+</pre>
</div>
</div>
<div class="literalblock">
<div class="content">
<pre>1) editcap -C 5:10 -C -25:-20 capture.pcapng chopped.pcapng
2) editcap -C 5:10 -C 50:-20 capture.pcapng chopped.pcapng
3) editcap -C -70:10 -C -25:-20 capture.pcapng chopped.pcapng
4) editcap -C -70:10 -C 50:-20 capture.pcapng chopped.pcapng
5) editcap -C 30:20 -C -60:-10 capture.pcapng chopped.pcapng
6) editcap -C 30:20 -C 15:-10 capture.pcapng chopped.pcapng
7) editcap -C -45:20 -C -60:-10 capture.pcapng chopped.pcapng
8) editcap -C -45:20 -C 15:-10 capture.pcapng chopped.pcapng</pre>
</div>
</div>
<div class="paragraph">
<p>To add comment strings to the first 2 input frames, use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -a "1:1st frame" -a 2:Second capture.pcapng capture-comments.pcapng</pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://www.tcpdump.org/manpages/pcap.3pcap.html">pcap</a>(3), <a href="wireshark.html">wireshark</a>(1), <a href="tshark.html">tshark</a>(1), <a href="mergecap.html">mergecap</a>(1), <a href="dumpcap.html">dumpcap</a>(1), <a href="capinfos.html">capinfos</a>(1),
<a href="text2pcap.html">text2pcap</a>(1), <a href="reordercap.html">reordercap</a>(1), od(1), <a href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>(7) or <a href="https://www.tcpdump.org/manpages/tcpdump.1.html">tcpdump</a>(8)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>This is the manual page for <strong>Editcap</strong> 4.0.5.
<strong>Editcap</strong> is part of the <strong>Wireshark</strong> distribution.
The latest version of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<div class="title">Original Author</div>
<p>Richard Sharpe &lt;sharpe[AT]ns.aus.com&gt;</p>
</div>
<div class="paragraph">
<div class="title">Contributors</div>
<p>Guy Harris &lt;guy[AT]alum.mit.edu&gt;<br>
Ulf Lamping &lt;ulf.lamping[AT]web.de&gt;</p>
</div>
</div>
</div>
</div>
</body>
</html>