| blob | 7d7ce7092a36736f6a0425b30d5aff22c03cd153 |
1 Editcap (Wireshark) 4.5.0 (v4.5.0rc0-48-g7b7ca8210417)
2 Edit and/or translate the format of capture files.
3 See https://www.wireshark.org for more information.
5 Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
7 <infile> and <outfile> must both be present; use '-' for stdin or stdout.
8 A single packet or a range of packets can be selected.
10 Packet selection:
11 -r keep the selected packets; default is to delete them.
12 -A <start time> only read packets whose timestamp is after (or equal
13 to) the given time.
14 -B <stop time> only read packets whose timestamp is before the
15 given time.
16 Time format for -A/-B options is
17 YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
18 Unix epoch timestamps are also supported.
20 Duplicate packet removal:
21 --novlan remove vlan info from packets before checking for duplicates.
22 -d remove packet if duplicate (window == 5).
23 -D <dup window> remove packet if duplicate; configurable <dup window>.
24 Valid <dup window> values are 0 to 1000000.
25 NOTE: A <dup window> of 0 with -V (verbose option) is
26 useful to print MD5 hashes.
27 -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR
28 LESS THAN <dup time window> prior to current packet.
29 A <dup time window> is specified in relative seconds
30 (e.g. 0.000001).
31 NOTE: The use of the 'Duplicate packet removal' options with
32 other editcap options except -V may not always work as expected.
33 Specifically the -r, -t or -S options will very likely NOT have the
34 desired effect if combined with the -d, -D or -w.
35 --skip-radiotap-header skip radiotap header when checking for packet duplicates.
36 Useful when processing packets captured by multiple radios
37 on the same channel in the vicinity of each other.
38 --set-unused set unused byts to zero in sll link addr.
40 Packet manipulation:
41 -s <snaplen> truncate each packet to max. <snaplen> bytes of data.
42 -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
43 chop at the packet beginning, negative values at the
44 packet end. If an optional offset precedes the length,
45 then the bytes chopped will be offset from that value.
46 Positive offsets are from the packet beginning,
47 negative offsets are from the packet end. You can use
48 this option more than once, allowing up to 2 chopping
49 regions within a packet provided that at least 1
50 choplen is positive and at least 1 is negative.
51 -L adjust the frame (i.e. reported) length when chopping
52 and/or snapping.
53 -t <time adjustment> adjust the timestamp of each packet.
54 <time adjustment> is in relative seconds (e.g. -0.5).
55 -S <strict adjustment> adjust timestamp of packets if necessary to ensure
56 strict chronological increasing order. The <strict
57 adjustment> is specified in relative seconds with
58 values of 0 or 0.000001 being the most reasonable.
59 A negative adjustment value will modify timestamps so
60 that each packet's delta time is the absolute value
61 of the adjustment specified. A value of -0 will set
62 all packets to the timestamp of the first packet.
63 -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
64 a particular packet byte will be randomly changed.
65 -o <change offset> When used in conjunction with -E, skip some bytes from the
66 beginning of the packet. This allows one to preserve some
67 bytes, in order to have some headers untouched.
68 --seed <seed> When used in conjunction with -E, set the seed to use for
69 the pseudo-random number generator. This allows one to
70 repeat a particular sequence of errors.
71 -I <bytes to ignore> ignore the specified number of bytes at the beginning
72 of the frame during MD5 hash calculation, unless the
73 frame is too short, then the full frame is used.
74 Useful to remove duplicated packets taken on
75 several routers (different mac addresses for
76 example).
77 e.g. -I 26 in case of Ether/IP will ignore
78 ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
79 -a <framenum>:<comment> Add or replace comment for given frame number
81 Output File(s):
82 if the output file(s) have the .gz extension, then
83 gzip compression will be used
84 -c <packets per file> split the packet output to different files based on
85 uniform packet counts with a maximum of
86 <packets per file> each.
87 -i <seconds per file> split the packet output to different files based on
88 uniform time intervals with a maximum of
89 <seconds per file> each.
90 -F <capture type> set the output file type; default is pcapng.
91 An empty "-F" option will list the file types.
92 -T <encap type> set the output file encapsulation type; default is the
93 same as the input file. An empty "-T" option will
94 list the encapsulation types.
95 --inject-secrets <type>,<file> Insert decryption secrets from <file>. List
96 supported secret types with "--inject-secrets help".
97 --extract-secrets Extract decryption secrets into the output file instead.
98 Incompatible with other options besides -V.
99 --discard-all-secrets Discard all decryption secrets from the input file
100 when writing the output file. Does not discard
101 secrets added by "--inject-secrets" in the same
102 command line.
103 --capture-comment <comment>
104 Add a capture file comment, if supported.
105 --discard-capture-comment
106 Discard capture file comments from the input file
107 when writing the output file. Does not discard
108 comments added by "--capture-comment" in the same
109 command line.
110 --discard-packet-comments
111 Discard all packet comments from the input file
112 when writing the output file. Does not discard
113 comments added by "-a" in the same command line.
114 --compress <type> Compress the output file using the type compression format.
116 Miscellaneous:
117 -h, --help display this help and exit.
118 -V verbose output.
119 If -V is used with any of the 'Duplicate Packet
120 Removal' options (-d, -D or -w) then Packet lengths
121 and MD5 hashes are printed to standard-error.
122 -v, --version print version information and exit.