简介

Editcap 是 Wireshark 程序安装时附带的可选工具之一，用于编辑数据包文件的命令行工具。

editcap [ -a <frame:comment> ] [ -A <start time> ] [ -B <stop time> ] [ -c <packets per file> ] [ -C [offset:]<choplen> ] [ -E <error probability> ] [ -F <file format> ] [ -i <seconds per file> ] [ -o <change offset> ] [ -L ] [ -r ] [ -s <snaplen> ] [ -S <strict time adjustment> ] [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -V ] [ --inject-secrets <secrets type>,<file> ] [ --discard-all-secrets ] [ --capture-comment <comment> ] [ --discard-capture-comment ] infile outfile [ packet#[-packet#] … ]editcap -d -D <dup window> -w <dup time window> [ -V ] [ -I <bytes to ignore> ] [ --skip-radiotap-header ] infile outfileeditcap -h|--helpeditcap -v|--version

Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)

描述

Editcap 是一个从文件读取部分或所有捕获数据包的程序，可选地以各种方式转换它们，并将结果数据包写入输出文件。缺省情况下，它从输入文件中读取所有数据包，并以 pcapng 文件格式写进输出文件。

Editcap 的几个常见功能：

可以按时间、长度等截取数据包。
可以用来删除重复的数据包，可用来控制用于重复比较的包窗口或相对时间窗口。
可以用来编辑数据帧的描述。
可以检测、读取和写入 Wireshark 支持的相同捕获文件。
可以用几种输出格式编写文件。

选项

$ editcapUsage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.Packet selection:-r                     keep the selected packets; default is to delete them.-A <start time>        only read packets whose timestamp is after (or equalto) the given time.-B <stop time>         only read packets whose timestamp is before thegiven time.Time format for -A/-B options isYYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]Unix epoch timestamps are also supported.Duplicate packet removal:--novlan               remove vlan info from packets before checking for duplicates.-d                     remove packet if duplicate (window == 5).-D <dup window>        remove packet if duplicate; configurable <dup window>.Valid <dup window> values are 0 to 1000000.NOTE: A <dup window> of 0 with -V (verbose option) isuseful to print MD5 hashes.-w <dup time window>   remove packet if duplicate packet is found EQUAL TO ORLESS THAN <dup time window> prior to current packet.A <dup time window> is specified in relative seconds(e.g. 0.000001).NOTE: The use of the 'Duplicate packet removal' options withother editcap options except -V may not always work as expected.Specifically the -r, -t or -S options will very likely NOT have thedesired effect if combined with the -d, -D or -w.--skip-radiotap-header skip radiotap header when checking for packet duplicates.Useful when processing packets captured by multiple radioson the same channel in the vicinity of each other.Packet manipulation:-s <snaplen>           truncate each packet to max. <snaplen> bytes of data.-C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive valueschop at the packet beginning, negative values at thepacket end. If an optional offset precedes the length,then the bytes chopped will be offset from that value.Positive offsets are from the packet beginning,negative offsets are from the packet end. You can usethis option more than once, allowing up to 2 choppingregions within a packet provided that at least 1choplen is positive and at least 1 is negative.-L                     adjust the frame (i.e. reported) length when choppingand/or snapping.-t <time adjustment>   adjust the timestamp of each packet.<time adjustment> is in relative seconds (e.g. -0.5).-S <strict adjustment> adjust timestamp of packets if necessary to ensurestrict chronological increasing order. The <strictadjustment> is specified in relative seconds withvalues of 0 or 0.000001 being the most reasonable.A negative adjustment value will modify timestamps sothat each packet's delta time is the absolute valueof the adjustment specified. A value of -0 will setall packets to the timestamp of the first packet.-E <error probability> set the probability (between 0.0 and 1.0 incl.) thata particular packet byte will be randomly changed.-o <change offset>     When used in conjunction with -E, skip some bytes from thebeginning of the packet. This allows one to preserve somebytes, in order to have some headers untouched.--seed <seed>          When used in conjunction with -E, set the seed to use forthe pseudo-random number generator. This allows one torepeat a particular sequence of errors.-I <bytes to ignore>   ignore the specified number of bytes at the beginningof the frame during MD5 hash calculation, unless theframe is too short, then the full frame is used.Useful to remove duplicated packets taken onseveral routers (different mac addresses forexample).e.g. -I 26 in case of Ether/IP will ignoreether(14) and IP header(20 - 4(src ip) - 4(dst ip)).-a <framenum>:<comment> Add or replace comment for given frame numberOutput File(s):-c <packets per file>  split the packet output to different files based onuniform packet counts with a maximum of<packets per file> each.-i <seconds per file>  split the packet output to different files based onuniform time intervals with a maximum of<seconds per file> each.-F <capture type>      set the output file type; default is pcapng.An empty "-F" option will list the file types.-T <encap type>        set the output file encapsulation type; default is thesame as the input file. An empty "-T" option willlist the encapsulation types.--inject-secrets <type>,<file>  Insert decryption secrets from <file>. Listsupported secret types with "--inject-secrets help".--discard-all-secrets  Discard all decryption secrets from the input filewhen writing the output file.  Does not discardsecrets added by "--inject-secrets" in the samecommand line.--capture-comment <comment>Add a capture file comment, if supported.--discard-capture-commentDiscard capture file comments from the input filewhen writing the output file.  Does not discardcomments added by "--capture-comment" in the samecommand line.Miscellaneous:-h, --help             display this help and exit.-V                     verbose output.If -V is used with any of the 'Duplicate PacketRemoval' options (-d, -D or -w) then Packet lengthsand MD5 hashes are printed to standard-error.-v, --version          print version information and exit.

实例

以下以实例讲解各选项的作用，测试跟踪文件主要信息如下。

$ capinfos test.pcapng
File name:           test.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   20 k
File size:           9213 kB
Data size:           8530 kB
Capture duration:    37.528437 seconds
First packet time:   2021-08-15 21:34:27.791910
Last packet time:    2021-08-15 21:35:05.320347
Data byte rate:      227 kBps
Data bit rate:       1818 kbps
Average packet size: 419.22 bytes
Average packet rate: 542 packets/s
SHA256:              03cdf99c02a73c3a0ada4f857eaffa587fd78d081cc8cd4e0c7b79f1587086fa
RIPEMD160:           78696db33a42825bb42a7c63d0fc6053cc88e851
SHA1:                7c9d9db15cfa4c237c16289862e9b1cde08a760f
Strict time order:   False
Capture hardware:    Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz (with SSE4.2)
Capture oper-sys:    64-bit Windows 10 (1809), build 17763
Capture application: Dumpcap (Wireshark) 3.4.7 (v3.4.7-0-ge42cbf6a415f)
Capture comment:     test
Number of interfaces in file: 1
Interface #0 info:Name = \Device\NPF_{15DAC5F9-EEF5-4A7E-A590-E0968FC225A4}Description = Ethernet0Encapsulation = Ethernet (1 - ether)Capture length = 262144Time precision = microseconds (6)Time ticks per second = 1000000Time resolution = 0x06Operating system = 64-bit Windows 10 (1809), build 17763Number of stat entries = 1Number of packets = 20348

Packet selection

数据包选取选项，主要包括以下：

Packet selection:-r                     keep the selected packets; default is to delete them.-A <start time>        only read packets whose timestamp is after (or equalto) the given time.-B <stop time>         only read packets whose timestamp is before thegiven time.Time format for -A/-B options isYYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]Unix epoch timestamps are also supported.$ editcap -r test.pcapng test1.pcapng 1-10
保留 test.pcapng 中 1#-10# 的数据包，然后保存为 test1.pcapng$ editcap -r test.pcapng test1.pcapng 10
保留 test.pcapng 中 10# 的数据包，然后保存为 test1.pcapng$ editcap -A "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间之后的数据包，然后保存为 test1.pcapng$ editcap -B "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间之前的数据包，然后保存为 test1.pcapng$ editcap -A "2021-08-15 21:34:30" -B "2021-08-15 21:35:00" test.pcapng test1.pcapng
从 test.pcapng 中读取指定时间前后的数据包，然后保存为 test1.pcapng

Duplicate packet removal

重复数据包删除选项，主要包括以下：

Duplicate packet removal:--novlan               remove vlan info from packets before checking for duplicates.-d                     remove packet if duplicate (window == 5).-D <dup window>        remove packet if duplicate; configurable <dup window>.Valid <dup window> values are 0 to 1000000.NOTE: A <dup window> of 0 with -v (verbose option) isuseful to print MD5 hashes.-w <dup time window>   remove packet if duplicate packet is found EQUAL TO ORLESS THAN <dup time window> prior to current packet.A <dup time window> is specified in relative seconds(e.g. 0.000001).NOTE: The use of the 'Duplicate packet removal' options withother editcap options except -v may not always work as expected.Specifically the -r, -t or -S options will very likely NOT have thedesired effect if combined with the -d, -D or -w.--skip-radiotap-header skip radiotap header when checking for packet duplicates.Useful when processing packets captured by multiple radioson the same channel in the vicinity of each other.$ editcap --novlan test.pcapng test1.pcapng
跟踪文件实测实际无效果，查询文档或与数据包文件相关，需满足 linux sll + vlan 条件的数据包文件。$ editcap -d test.pcapng test1.pcapng
2 packets seen, 1 packet skipped with duplicate window of 5 packets.
尝试删除重复的数据包，将当前报文的长度和MD5哈希值与前4个报文进行比较。如果找到匹配，则删除当前报文。这个选项相当于使用选项-D 5。      $ editcap -d -D 6 test1.pcapng test2.pcapng
6 packets seen, 1 packet skipped with duplicate window of 6 packets.
6个窗口，即将当前报文的长度和MD5哈希值与前5个报文进行比较。$ editcap -D 0 -V test1.pcapng test2.pcapng
File test1.pcapng is a InfoVista 5View capture capture file.
Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5bacc
Packet: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0cc
Packet: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148
Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9
Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
6 packets seen, 0 packets skipped with duplicate window of 0 packets.$ editcap -w 0.000015 test.pcapng test2.pcapng
6 packets seen, 1 packet skipped with duplicate time window equal to or less than 0.000015000 seconds.$ editcap --skip-radiotap-header
当检查数据包重复时跳过 radiotap 头部。因无合适数据包文件，暂无测试。

Packet manipulation

数据包编辑操作选项，主要包括以下：

Packet manipulation:-s <snaplen>           truncate each packet to max. <snaplen> bytes of data.-C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive valueschop at the packet beginning, negative values at thepacket end. If an optional offset precedes the length,then the bytes chopped will be offset from that value.Positive offsets are from the packet beginning,negative offsets are from the packet end. You can usethis option more than once, allowing up to 2 choppingregions within a packet provided that at least 1choplen is positive and at least 1 is negative.-L                     adjust the frame (i.e. reported) length when choppingand/or snapping.-t <time adjustment>   adjust the timestamp of each packet.<time adjustment> is in relative seconds (e.g. -0.5).-S <strict adjustment> adjust timestamp of packets if necessary to ensurestrict chronological increasing order. The <strictadjustment> is specified in relative seconds withvalues of 0 or 0.000001 being the most reasonable.A negative adjustment value will modify timestamps sothat each packet's delta time is the absolute valueof the adjustment specified. A value of -0 will setall packets to the timestamp of the first packet.-E <error probability> set the probability (between 0.0 and 1.0 incl.) thata particular packet byte will be randomly changed.-o <change offset>     When used in conjunction with -E, skip some bytes from thebeginning of the packet. This allows one to preserve somebytes, in order to have some headers untouched.--seed <seed>          When used in conjunction with -E, set the seed to use forthe pseudo-random number generator. This allows one torepeat a particular sequence of errors.-I <bytes to ignore>   ignore the specified number of bytes at the beginningof the frame during MD5 hash calculation, unless theframe is too short, then the full frame is used.Useful to remove duplicated packets taken onseveral routers (different mac addresses forexample).e.g. -I 26 in case of Ether/IP will ignoreether(14) and IP header(20 - 4(src ip) - 4(dst ip)).-a <framenum>:<comment> Add or replace comment for given frame number$ editcap -s 60 test.pcapng test1.pcapng
按 60 字节长度截断数据包。$ editcap -C 12:4 test.pcapng test2.pcapng
删除 vlan +---+-------+-----------+---------------+-------------------+
| 5 |   10  |     15    |       20      |         25        |
+---+-------+-----------+---------------+-------------------+
删除 10 和 20 区域字节
$ editcap -C 5:10 -C -25:-20 test1.pcapng test2.pcapng
$ editcap -C 5:10 -C 50:-20 test1.pcapng test2.pcapng
$ editcap -C -70:10 -C -25:-20 test1.pcapng test2.pcapng
$ editcap -C -70:10 -C 50:-20 test1.pcapng test2.pcapng
$ editcap -C 30:20 -C -60:-10 test1.pcapng test2.pcapng
$ editcap -C 30:20 -C 15:-10 test1.pcapng test2.pcapng
$ editcap -C -45:20 -C -60:-10 test1.pcapng test2.pcapng
$ editcap -C -45:20 -C 15:-10 test1.pcapng test2.pcapng$ editcap -L -C 12:4 test.pcapng test2.pcapng
无 -L 时，-C 删除 4 字节，最终会显示 Frame 长度 112 ，捕获长度 108；有 -L 时，-C 删除 4 字节，最终会显示 Frame 长度 108 ，捕获长度 108 。$ editcap -t -1 test.pcapng test2.pcapng
每个数据包往前调整1s$ editcap -S -1 test.pcapng test2.pcapng
每个数据包按 1s 时间顺序递增$ editcap -E -0.2 test.pcapng test2.pcapng
设置随机改变一个特定数据包字节的概率为 0.2 。此选项用于模糊测试协议解析器。$ editcap -E -0.2 -o 34 test.pcapng test2.pcapng
跳过数据包开头的 34 字节，设置随机改变一个特定数据包字节的概率为 0.2。$ editcap -E -0.2 --seed 10 test.pcapng test2.pcapng
设置伪随机数生成器的种子，这允许重复特定的错误序列。$ editcap -d -I 26 test.pcapng test2.pcapng
20348 packets seen, 11 packets skipped with duplicate window of 5 packets.
在MD5哈希计算时，忽略帧开始的指定字节数，除非该帧太短，否则将使用完整帧。$ editcap -a 1:"test teset" test.pcapng test2.pcapng
增加或替换指定数据包的注释

Output File(s)

输出文件选项，主要包括以下：

Output File(s):-c <packets per file>  split the packet output to different files based onuniform packet counts with a maximum of<packets per file> each.-i <seconds per file>  split the packet output to different files based onuniform time intervals with a maximum of<seconds per file> each.-F <capture type>      set the output file type; default is pcapng.An empty "-F" option will list the file types.-T <encap type>        set the output file encapsulation type; default is thesame as the input file. An empty "-T" option willlist the encapsulation types.--inject-secrets <type>,<file>  Insert decryption secrets from <file>. Listsupported secret types with "--inject-secrets help".--discard-all-secrets  Discard all decryption secrets from the input filewhen writing the output file.  Does not discardsecrets added by "--inject-secrets" in the samecommand line.--capture-comment <comment>Add a capture file comment, if supported.--discard-capture-commentDiscard capture file comments from the input filewhen writing the output file.  Does not discardcomments added by "--capture-comment" in the samecommand line.$ editcap -c 4 icmp.pcapng icmp1.pcapng
每 4 个包分成一个文件，从00000开始，然后是它的第一个包的时间戳。如果输入文件不包含时间戳信息，则省略时间戳。
譬如 icmp.pcapng 中一共 16 个数据包，分割成了 icmp1_00000_20210704113248.pcapng、icmp1_00001_20210704113249.pcapng、icmp1_00002_20210704113250.pcapng、icmp1_00003_20210704113251.pcapng 4个文件。$ editcap -i 1 icmp.pcapng icmp1.pcapng
根据统一的时间间隔将数据包输出分割到不同的文件，每个文件的最大间隔为 1 秒。允许使用浮点值(例如0.5)。$ editcap -F
editcap: The available capture file types for the "-F" flag are:pcap - Wireshark/tcpdump/... - pcappcapng - Wireshark/... - pcapng5views - InfoVista 5View capturebtsnoop - Symbian OS btsnoopcommview-ncf - TamoSoft CommView NCFcommview-ncfx - TamoSoft CommView NCFXdct2000 - Catapult DCT2000 trace (.out format)erf - Endace ERF captureeyesdn - EyeSDN USB S0/E1 ISDN trace formatk12text - K12 text filelanalyzer - Novell LANalyzerlogcat - Android Logcat Binary formatlogcat-brief - Android Logcat Brief text formatlogcat-long - Android Logcat Long text formatlogcat-process - Android Logcat Process text formatlogcat-tag - Android Logcat Tag text formatlogcat-thread - Android Logcat Thread text formatlogcat-threadtime - Android Logcat Threadtime text formatlogcat-time - Android Logcat Time text formatmodpcap - Modified tcpdump - pcapnetmon1 - Microsoft NetMon 1.xnetmon2 - Microsoft NetMon 2.xnettl - HP-UX nettl tracengsniffer - Sniffer (DOS)ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1ngwsniffer_2_0 - Sniffer (Windows) 2.00xnokiapcap - Nokia tcpdump - pcapnsecpcap - Wireshark/tcpdump/... - nanosecond pcapnstrace10 - NetScaler Trace (Version 1.0)nstrace20 - NetScaler Trace (Version 2.0)nstrace30 - NetScaler Trace (Version 3.0)nstrace35 - NetScaler Trace (Version 3.5)observer - Viavi Observerrf5 - Tektronix K12xx 32-bit .rf5 formatrh6_1pcap - RedHat 6.1 tcpdump - pcapsnoop - Sun snoopsuse6_3pcap - SuSE 6.3 tcpdump - pcapvisual - Visual Networks traffic capture$ editcap -F pcap
设置输出捕获文件的文件格式。缺省为pcapng格式。$ editcap -T
editcap: The available encapsulation types for the "-T" flag are:ap1394 - Apple IP-over-IEEE 1394arcnet - ARCNETarcnet_linux - Linux ARCNETascend - Lucent/Ascend access equipmentatm-pdus - ATM PDUsatm-pdus-untruncated - ATM PDUs - untruncatedatm-rfc1483 - RFC 1483 ATMax25 - Amateur Radio AX.25ax25-kiss - AX.25 with KISS headerbacnet-ms-tp - BACnet MS/TPbacnet-ms-tp-with-direction - BACnet MS/TP with Directional Infober - ASN.1 Basic Encoding Rulesbluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RFbluetooth-h4 - Bluetooth H4bluetooth-h4-linux - Bluetooth H4 with linux headerbluetooth-hci - Bluetooth without transport layerbluetooth-le-ll - Bluetooth Low Energy Link Layerbluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RFbluetooth-linux-monitor - Bluetooth Linux Monitorcan20b - Controller Area Network 2.0Bchdlc - Cisco HDLCchdlc-with-direction - Cisco HDLC with Directional Infocosine - CoSine L2 debug logdbus - D-Busdct2000 - Catapult DCT2000docsis - Data Over Cable Service Interface Specificationdocsis31_xra31 - DOCSIS with Excentis XRA pseudo-headerdpauxmon - DisplayPort AUX channel with Unigraf pseudo-headerdpnss_link - Digital Private Signalling System No 1 Link Layerdvbci - DVB-CI (Common Interface)ebhscr - Elektrobit High Speed Capture and Replayenc - OpenBSD enc(4) encapsulating interfaceepon - Ethernet Passive Optical Networkerf - Extensible Record Formateri_enb_log - Ericsson eNode-B raw logether - Ethernetether-mpacket - IEEE 802.3br mPacketsether-nettl - Ethernet with nettl headersetw - Event Tracing for Windows messagesfc2 - Fibre Channel FC-2fc2sof - Fibre Channel FC-2 With Frame Delimiterfddi - FDDIfddi-nettl - FDDI with nettl headersfddi-swapped - FDDI with bit-swapped MAC addressesflexray - FlexRayfrelay - Frame Relayfrelay-with-direction - Frame Relay with Directional Infogcom-serial - GCOM Serialgcom-tie1 - GCOM TIE1gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped modegfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent modegprs-llc - GPRS LLCgsm_um - GSM Um Interfacehhdlc - HiPath HDLCi2c-linux - I2C with Linux-specific pseudo-headerieee-802-11 - IEEE 802.11 Wireless LANieee-802-11-avs - IEEE 802.11 plus AVS radio headerieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio headerieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio headerieee-802-11-radio - IEEE 802.11 Wireless LAN with radio informationieee-802-11-radiotap - IEEE 802.11 plus radiotap radio headerieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayerinfiniband - InfiniBandios - Cisco IOS internalip-ib - IP over IBip-over-fc - RFC 2625 IP-over-Fibre Channelip-over-ib - IP over InfiniBandipfix - RFC 5655/RFC 5101 IPFIXipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-headeripmi-trace - IPMI Trace Data Collectionipnet - Solaris IPNETirda - IrDAisdn - ISDNiso14443 - ISO 14443 contactless smartcard standardsixveriwave - IxVeriWave header and stats blockjfif - JPEG/JFIFjson - JavaScript Object Notationjuniper-atm1 - Juniper ATM1juniper-atm2 - Juniper ATM2juniper-chdlc - Juniper C-HDLCjuniper-ether - Juniper Ethernetjuniper-frelay - Juniper Frame-Relayjuniper-ggsn - Juniper GGSNjuniper-mlfr - Juniper MLFRjuniper-mlppp - Juniper MLPPPjuniper-ppp - Juniper PPPjuniper-pppoe - Juniper PPPoEjuniper-st - Juniper Secure Tunnel Informationjuniper-svcs - Juniper Servicesjuniper-vn - Juniper VNjuniper-vp - Juniper Voice PICk12 - K12 protocol analyzerlapb - LAPBlapd - LAPDlayer1-event - EyeSDN Layer 1 eventlin - Local Interconnect Networklinux-atm-clip - Linux ATM CLIPlinux-lapd - LAPD with Linux pseudo-headerlinux-sll - Linux cooked-mode capture v1linux-sll2 - Linux cooked-mode capture v2log_3GPP - 3GPP Phone Loglogcat - Android Logcat Binary formatlogcat_brief - Android Logcat Brief text formatlogcat_long - Android Logcat Long text formatlogcat_process - Android Logcat Process text formatlogcat_tag - Android Logcat Tag text formatlogcat_thread - Android Logcat Thread text formatlogcat_threadtime - Android Logcat Threadtime text formatlogcat_time - Android Logcat Time text formatloop - OpenBSD loopbackloratap - LoRaTapltalk - Localtalkmessage_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6mime - MIMEmost - Media Oriented Systems Transportmp2ts - ISO/IEC 13818-1 MPEG2-TSmp4 - MP4 filesmpeg - MPEGmtp2 - SS7 MTP2mtp2-with-phdr - MTP2 with pseudoheadermtp3 - SS7 MTP3mux27010 - MUX27010netanalyzer - Hilscher netANALYZERnetanalyzer-transparent - Hilscher netANALYZER-Transparentnetlink - Linux Netlinknetmon_event - Network Monitor Network Eventnetmon_filter - Network Monitor Filternetmon_header - Network Monitor Headernetmon_network_info - Network Monitor Network Infonfc-llcp - NFC LLCPnflog - NFLOGnordic_ble - nRF Sniffer for Bluetooth LEnstrace10 - NetScaler Encapsulation 1.0 of Ethernetnstrace20 - NetScaler Encapsulation 2.0 of Ethernetnstrace30 - NetScaler Encapsulation 3.0 of Ethernetnstrace35 - NetScaler Encapsulation 3.5 of Ethernetnull - NULL/Loopbackpacketlogger - Apple Bluetooth PacketLoggerpflog - OpenBSD PF Firewall logspflog-old - OpenBSD PF Firewall logs, pre-3.4pktap - Apple PKTAPppi - Per-Packet Information headerppp - PPPppp-with-direction - PPP with Directional Infopppoes - PPP-over-Ethernet sessionraw-icmp-nettl - Raw ICMP with nettl headersraw-icmpv6-nettl - Raw ICMPv6 with nettl headersraw-telnet-nettl - Raw telnet with nettl headersrawip - Raw IPrawip-nettl - Raw IP with nettl headersrawip4 - Raw IPv4rawip6 - Raw IPv6redback - Redback SmartEdgerfc7468 - RFC 7468 filertac-serial - RTAC serial-lineruby_marshal - Ruby marshal objects4607 - STANAG 4607s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)sccp - SS7 SCCPsctp - SCTPsdh - SDHsdjournal - systemd journalsdlc - SDLCsita-wan - SITA WAN packetsslip - SLIPsocketcan - SocketCANsymantec - Symantec Enterprise Firewalltnef - Transport-Neutral Encapsulation Formattr - Token Ringtr-nettl - Token Ring with nettl headerstzsp - Tazmen sniffer protocolunknown - Unknownunknown-nettl - Unknown link-layer type with nettl headersusb-20 - USB 2.0/1.1/1.0 packetsusb-darwin - USB packets with Darwin (macOS, etc.) headersusb-freebsd - USB packets with FreeBSD headerusb-linux - USB packets with Linux headerusb-linux-mmap - USB packets with Linux header and paddingusb-usbpcap - USB packets with USBPcap headeruser0 - USER 0user1 - USER 1user2 - USER 2user3 - USER 3user4 - USER 4user5 - USER 5user6 - USER 6user7 - USER 7user8 - USER 8user9 - USER 9user10 - USER 10user11 - USER 11user12 - USER 12user13 - USER 13user14 - USER 14user15 - USER 15v5-ef - V5 Envelope Functionvpp - Vector Packet Processing graph dispatch tracevsock - Linux vsockwhdlc - Wellfleet HDLCwireshark-upper-pdu - Wireshark Upper PDU exportwpan - IEEE 802.15.4 Wireless PANwpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not presentwpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHYwpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-headerx2e-serial - X2E serial line capturex2e-xoraya - X2E Xorayax25-nettl - X.25 with nettl headersxeth - Xerox 3MB Ethernetzwave-serial - Z-Wave Serial API packets$ editcap -T linux-sll
设置输出捕获文件的包封装类型。如果 -T 用于指定封装类型，输出捕获文件的封装类型将被强制为指定类型。默认类型适合于输入捕获文件的封装类型。$ editcap --inject-secrets <secrets type>,<file>
$ editcap --inject-secrets helptlswg
$ editcap --inject-secrets tls,tls.log test.pcapng test1.pcapng
将tls密钥加进test.pcapng中的 Decryption Secrets Block (DSB)，输出test1.pcapng$ editcap --discard-all-secrets test1.pcapng test.pcapng
当写入输出文件时，丢弃输入文件中的所有解密密钥。$ editcap --capture-comment "test test" test.pcapng test1.pcapng
将给定的注释添加到输出文件中，如果输出文件格式支持的话,将在输入文件中出现的任何注释之后添加新的注释。此选项可以指定多次。注意，Wireshark 目前只显示捕获文件的第一个注释。$ editcap --discard-capture-comment test1.pcapng test.pcapng
丢弃来自输入文件的所有捕获文件注释。

Miscellaneous

杂项选项，主要包括以下：

Miscellaneous:-h, --help             display this help and exit.-V                     verbose output.If -V is used with any of the 'Duplicate PacketRemoval' options (-d, -D or -w) then Packet lengthsand MD5 hashes are printed to standard-error.-v, --version          print version information and exit.$ editcap -h
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Edit and/or translate the format of capture files.
See https://www.wireshark.org for more information.Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.Packet selection:-r                     keep the selected packets; default is to delete them.-A <start time>        only read packets whose timestamp is after (or equalto) the given time.-B <stop time>         only read packets whose timestamp is before thegiven time.Time format for -A/-B options isYYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]Unix epoch timestamps are also supported.Duplicate packet removal:--novlan               remove vlan info from packets before checking for duplicates.-d                     remove packet if duplicate (window == 5).-D <dup window>        remove packet if duplicate; configurable <dup window>.Valid <dup window> values are 0 to 1000000.NOTE: A <dup window> of 0 with -V (verbose option) isuseful to print MD5 hashes.-w <dup time window>   remove packet if duplicate packet is found EQUAL TO ORLESS THAN <dup time window> prior to current packet.A <dup time window> is specified in relative seconds(e.g. 0.000001).NOTE: The use of the 'Duplicate packet removal' options withother editcap options except -V may not always work as expected.Specifically the -r, -t or -S options will very likely NOT have thedesired effect if combined with the -d, -D or -w.--skip-radiotap-header skip radiotap header when checking for packet duplicates.Useful when processing packets captured by multiple radioson the same channel in the vicinity of each other.Packet manipulation:-s <snaplen>           truncate each packet to max. <snaplen> bytes of data.-C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive valueschop at the packet beginning, negative values at thepacket end. If an optional offset precedes the length,then the bytes chopped will be offset from that value.Positive offsets are from the packet beginning,negative offsets are from the packet end. You can usethis option more than once, allowing up to 2 choppingregions within a packet provided that at least 1choplen is positive and at least 1 is negative.-L                     adjust the frame (i.e. reported) length when choppingand/or snapping.-t <time adjustment>   adjust the timestamp of each packet.<time adjustment> is in relative seconds (e.g. -0.5).-S <strict adjustment> adjust timestamp of packets if necessary to ensurestrict chronological increasing order. The <strictadjustment> is specified in relative seconds withvalues of 0 or 0.000001 being the most reasonable.A negative adjustment value will modify timestamps sothat each packet's delta time is the absolute valueof the adjustment specified. A value of -0 will setall packets to the timestamp of the first packet.-E <error probability> set the probability (between 0.0 and 1.0 incl.) thata particular packet byte will be randomly changed.-o <change offset>     When used in conjunction with -E, skip some bytes from thebeginning of the packet. This allows one to preserve somebytes, in order to have some headers untouched.--seed <seed>          When used in conjunction with -E, set the seed to use forthe pseudo-random number generator. This allows one torepeat a particular sequence of errors.-I <bytes to ignore>   ignore the specified number of bytes at the beginningof the frame during MD5 hash calculation, unless theframe is too short, then the full frame is used.Useful to remove duplicated packets taken onseveral routers (different mac addresses forexample).e.g. -I 26 in case of Ether/IP will ignoreether(14) and IP header(20 - 4(src ip) - 4(dst ip)).-a <framenum>:<comment> Add or replace comment for given frame numberOutput File(s):-c <packets per file>  split the packet output to different files based onuniform packet counts with a maximum of<packets per file> each.-i <seconds per file>  split the packet output to different files based onuniform time intervals with a maximum of<seconds per file> each.-F <capture type>      set the output file type; default is pcapng.An empty "-F" option will list the file types.-T <encap type>        set the output file encapsulation type; default is thesame as the input file. An empty "-T" option willlist the encapsulation types.--inject-secrets <type>,<file>  Insert decryption secrets from <file>. Listsupported secret types with "--inject-secrets help".--discard-all-secrets  Discard all decryption secrets from the input filewhen writing the output file.  Does not discardsecrets added by "--inject-secrets" in the samecommand line.--capture-comment <comment>Add a capture file comment, if supported.--discard-capture-commentDiscard capture file comments from the input filewhen writing the output file.  Does not discardcomments added by "--capture-comment" in the samecommand line.Miscellaneous:-h, --help             display this help and exit.-V                     verbose output.If -V is used with any of the 'Duplicate PacketRemoval' options (-d, -D or -w) then Packet lengthsand MD5 hashes are printed to standard-error.-v, --version          print version information and exit.$ editcap -rV test.pcapng test1.pcapng 1
File test.pcapng is a InfoVista 5View capture capture file.
Add_Selected: 1
Not inclusive ... 1
Packet: 1$ editcap -dV test.pcapng test1.pcapng
File test.pcapng is a InfoVista 5View capture capture file.
Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5bacc
Packet: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0cc
Packet: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148
Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9
Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7
6 packets seen, 0 packets skipped with duplicate window of 5 packets.$ editcap -v
Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b).Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib
2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported.

Wireshark CLI | Editcap 篇相关推荐

BTC学习知识点总结
1.ICO 和IPO 区别 ico 发币,ICO(是Initial Coin Offering缩写),首次币发行,源自股票市场的首次公开发行(IPO)概念,是区块链项目首次发行代币,募集比特币.以太坊 ...
[node 工具] 用 Node.js 将 bugzilla 上的 bug 列表导入到 excel 表格在线版本之一（server 端）...
之前写了个用 Node.js 将 bugzilla 上的 bug 列表导入到 excel 表格里的 cli 工具虽然可以用,但考虑到一下几点,总觉得需要再做点什么. 界面简陋,我那截图上是在 VS ...
TCP系列42—拥塞控制—5、Linux中的慢启动和拥塞避免（二）
在本篇中我们继续上一篇文章wireshark的示例讲解,上一篇介绍了一个综合示例后,本篇介绍一些简单的示例,在读本篇前建议先把上一篇读完,为了节省篇幅,本篇只针对一些特殊的场景点报文进行讲解,不会像上 ...
《基于深度学习的加密流量识别研究》-2022毕设笔记
参考文献: 基于深度学习的网络流量分类及异常检测方法研究_王伟基于深度学习的加密流量分类技术研究与实现_马梦叠基于深度学习的加密流量识别研究综述及展望_郭宇斌基于深度学习的加密流量算法识别研究_ ...
Wireshark数据抓包分析(网络协议篇)1.2安装Wireshark
Wireshark数据抓包分析(网络协议篇)1.2安装Wireshark Wireshark(前称Ethereal)是一个网络包分析工具.该工具主要是用来捕获网络包,并显示包的详细情况.本节将分别介绍 ...
Wireshark数据抓包分析(网络协议篇)第1章网络协议抓包概述
Wireshark数据抓包分析(网络协议篇)第1章网络协议抓包概述网络协议是用于不同计算机之间进行网络通信的.网络协议是网络上所有设备(如网络服务器.计算机.交换机.路由器等)之间通信规则的集合,它 ...
Wireshark数据抓包分析——网络协议篇
Wireshark数据抓包分析--网络协议篇 Wireshark是目前最受欢迎的抓包工具.它可以运行在Windows.Linux及MAC OS X操作系统中,并提供了友好的图形界面.同时,Wiresh ...
38 | 案例篇：怎么使用 tcpdump 和 Wireshark 分析网络流量？
通常,需要暴露到公网的服务,都会绑定一个域名,既方便了人们记忆,也避免了后台服务 IP 地址的变更影响到用户. 不过要注意,DNS 解析受到各种网络状况的影响,性能可能不稳定.比如公网延迟增大,缓存过 ...
[网络安全自学篇] 十三.Wireshark抓包原理（ARP劫持、MAC泛洪）及数据流追踪和图像抓取（二）
这是作者的系列网络安全自学教程,主要是关于网安工具和实践操作的在线笔记,特分享出来与博友共勉,希望您们喜欢,一起进步.前文分享了Wireshark安装入门和一个抓取网站用户名和密码的案例,本篇文章将继 ...

Wireshark CLI | Editcap 篇

简介

描述

选项

实例