D.7. editcap: Edit capture files

editcap is a general-purpose utility for modifying capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as to print information about capture files. For more information on editcap consult your local manual page (man editcap) or the online version.

Help information available from editcap. 

Editcap (Wireshark) 4.5.0 (v4.5.0rc0-48-g7b7ca8210417)
Edit and/or translate the format of capture files.
See https://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present; use '-' for stdin or stdout.
A single packet or a range of packets can be selected.

Packet selection:
  -r                     keep the selected packets; default is to delete them.
  -A <start time>        only read packets whose timestamp is after (or equal
                         to) the given time.
  -B <stop time>         only read packets whose timestamp is before the
                         given time.
                         Time format for -A/-B options is
                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]
                         Unix epoch timestamps are also supported.

Duplicate packet removal:
  --novlan               remove vlan info from packets before checking for duplicates.
  -d                     remove packet if duplicate (window == 5).
  -D <dup window>        remove packet if duplicate; configurable <dup window>.
                         Valid <dup window> values are 0 to 1000000.
                         NOTE: A <dup window> of 0 with -V (verbose option) is
                         useful to print MD5 hashes.
  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                         LESS THAN <dup time window> prior to current packet.
                         A <dup time window> is specified in relative seconds
                         (e.g. 0.000001).
           NOTE: The use of the 'Duplicate packet removal' options with
           other editcap options except -V may not always work as expected.
           Specifically the -r, -t or -S options will very likely NOT have the
           desired effect if combined with the -d, -D or -w.
  --skip-radiotap-header skip radiotap header when checking for packet duplicates.
                         Useful when processing packets captured by multiple radios
                         on the same channel in the vicinity of each other.
  --set-unused           set unused byts to zero in sll link addr.

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame (i.e. reported) length when chopping
                         and/or snapping.
  -t <time adjustment>   adjust the timestamp of each packet.
                         <time adjustment> is in relative seconds (e.g. -0.5).
  -S <strict adjustment> adjust timestamp of packets if necessary to ensure
                         strict chronological increasing order. The <strict
                         adjustment> is specified in relative seconds with
                         values of 0 or 0.000001 being the most reasonable.
                         A negative adjustment value will modify timestamps so
                         that each packet's delta time is the absolute value
                         of the adjustment specified. A value of -0 will set
                         all packets to the timestamp of the first packet.
  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                         a particular packet byte will be randomly changed.
  -o <change offset>     When used in conjunction with -E, skip some bytes from the
                         beginning of the packet. This allows one to preserve some
                         bytes, in order to have some headers untouched.
  --seed <seed>          When used in conjunction with -E, set the seed to use for
                         the pseudo-random number generator. This allows one to
                         repeat a particular sequence of errors.
  -I <bytes to ignore>   ignore the specified number of bytes at the beginning
                         of the frame during MD5 hash calculation, unless the
                         frame is too short, then the full frame is used.
                         Useful to remove duplicated packets taken on
                         several routers (different mac addresses for
                         example).
                         e.g. -I 26 in case of Ether/IP will ignore
                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).
  -a <framenum>:<comment> Add or replace comment for given frame number

Output File(s):
                         if the output file(s) have the .gz extension, then
                         gzip compression will be used
  -c <packets per file>  split the packet output to different files based on
                         uniform packet counts with a maximum of
                         <packets per file> each.
  -i <seconds per file>  split the packet output to different files based on
                         uniform time intervals with a maximum of
                         <seconds per file> each.
  -F <capture type>      set the output file type; default is pcapng.
                         An empty "-F" option will list the file types.
  -T <encap type>        set the output file encapsulation type; default is the
                         same as the input file. An empty "-T" option will
                         list the encapsulation types.
  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List
                         supported secret types with "--inject-secrets help".
  --extract-secrets      Extract decryption secrets into the output file instead.
                         Incompatible with other options besides -V.
  --discard-all-secrets  Discard all decryption secrets from the input file
                         when writing the output file.  Does not discard
                         secrets added by "--inject-secrets" in the same
                         command line.
  --capture-comment <comment>
                         Add a capture file comment, if supported.
  --discard-capture-comment
                         Discard capture file comments from the input file
                         when writing the output file.  Does not discard
                         comments added by "--capture-comment" in the same
                         command line.
  --discard-packet-comments
                         Discard all packet comments from the input file
                         when writing the output file.  Does not discard
                         comments added by "-a" in the same command line.
  --compress <type>      Compress the output file using the type compression format.

Miscellaneous:
  -h, --help             display this help and exit.
  -V                     verbose output.
                         If -V is used with any of the 'Duplicate Packet
                         Removal' options (-d, -D or -w) then Packet lengths
                         and MD5 hashes are printed to standard-error.
  -v, --version          print version information and exit.

Capture file types available from editcap -F

editcap: The available capture file types for the "-F" flag are:
    pcap - Wireshark/tcpdump/... - pcap
    pcapng - Wireshark/... - pcapng
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview-ncf - TamoSoft CommView NCF
    commview-ncfx - TamoSoft CommView NCFX
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    logcat - Android Logcat Binary format
    logcat-brief - Android Logcat Brief text format
    logcat-long - Android Logcat Long text format
    logcat-process - Android Logcat Process text format
    logcat-tag - Android Logcat Tag text format
    logcat-thread - Android Logcat Thread text format
    logcat-threadtime - Android Logcat Threadtime text format
    logcat-time - Android Logcat Time text format
    modpcap - Modified tcpdump - pcap
    mp2t - MPEG2 transport stream
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - Sniffer (DOS)
    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
    ngwsniffer_2_0 - Sniffer (Windows) 2.00x
    nokiapcap - Nokia tcpdump - pcap
    nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    nstrace30 - NetScaler Trace (Version 3.0)
    nstrace35 - NetScaler Trace (Version 3.5)
    observer - Viavi Observer
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1pcap - RedHat 6.1 tcpdump - pcap
    snoop - Sun snoop
    suse6_3pcap - SuSE 6.3 tcpdump - pcap
    visual - Visual Networks traffic capture

Encapsulation types available from editcap -T

editcap: The available encapsulation types for the "-T" flag are:
    alp - ATSC Link-Layer Protocol (A/330) packets
    ap1394 - Apple IP-over-IEEE 1394
    arcnet - ARCNET
    arcnet_linux - Linux ARCNET
    ascend - Lucent/Ascend access equipment
    atm-pdus - ATM PDUs
    atm-pdus-untruncated - ATM PDUs - untruncated
    atm-rfc1483 - RFC 1483 ATM
    auerlog - Auerswald Log
    autosardlt - AUTOSAR DLT
    ax25 - Amateur Radio AX.25
    ax25-kiss - AX.25 with KISS header
    bacnet-ms-tp - BACnet MS/TP
    bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
    ber - ASN.1 Basic Encoding Rules
    bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF
    bluetooth-h4 - Bluetooth H4
    bluetooth-h4-linux - Bluetooth H4 with linux header
    bluetooth-hci - Bluetooth without transport layer
    bluetooth-le-ll - Bluetooth Low Energy Link Layer
    bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF
    bluetooth-linux-monitor - Bluetooth Linux Monitor
    can20b - Controller Area Network 2.0B
    chdlc - Cisco HDLC
    chdlc-with-direction - Cisco HDLC with Directional Info
    cosine - CoSine L2 debug log
    dbus - D-Bus
    dct2000 - Catapult DCT2000
    dect_nr - DECT-2020 New Radio (NR) MAC layer
    docsis - Data Over Cable Service Interface Specification
    docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header
    dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header
    dpnss_link - Digital Private Signalling System No 1 Link Layer
    dvbci - DVB-CI (Common Interface)
    ebhscr - Elektrobit High Speed Capture and Replay
    ems - EMS (EGNOS Message Server) file
    enc - OpenBSD enc(4) encapsulating interface
    epon - Ethernet Passive Optical Network
    erf - Extensible Record Format
    eri_enb_log - Ericsson eNode-B raw log
    ether - Ethernet
    ether-mpacket - IEEE 802.3br mPackets
    ether-nettl - Ethernet with nettl headers
    etw - Event Tracing for Windows messages
    fc2 - Fibre Channel FC-2
    fc2sof - Fibre Channel FC-2 With Frame Delimiter
    fddi - FDDI
    fddi-nettl - FDDI with nettl headers
    fddi-swapped - FDDI with bit-swapped MAC addresses
    fira-uci - FiRa UWB Controller Interface (UCI) protocol.
    flexray - FlexRay
    frelay - Frame Relay
    frelay-with-direction - Frame Relay with Directional Info
    gcom-serial - GCOM Serial
    gcom-tie1 - GCOM TIE1
    gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode
    gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode
    gprs-llc - GPRS LLC
    gsm_um - GSM Um Interface
    hhdlc - HiPath HDLC
    i2c-linux - I2C with Linux-specific pseudo-header
    ieee-802-11 - IEEE 802.11 Wireless LAN
    ieee-802-11-avs - IEEE 802.11 plus AVS radio header
    ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
    ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
    ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
    ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
    infiniband - InfiniBand
    ios - Cisco IOS internal
    ip-ib - IP over IB
    ip-over-fc - RFC 2625 IP-over-Fibre Channel
    ip-over-ib - IP over InfiniBand
    ipfix - RFC 5655/RFC 5101 IPFIX
    ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header
    ipmi-trace - IPMI Trace Data Collection
    ipnet - Solaris IPNET
    irda - IrDA
    isdn - ISDN
    iso14443 - ISO 14443 contactless smartcard standards
    ixveriwave - IxVeriWave header and stats block
    jfif - JPEG/JFIF
    json - JavaScript Object Notation
    juniper-atm1 - Juniper ATM1
    juniper-atm2 - Juniper ATM2
    juniper-chdlc - Juniper C-HDLC
    juniper-ether - Juniper Ethernet
    juniper-frelay - Juniper Frame-Relay
    juniper-ggsn - Juniper GGSN
    juniper-mlfr - Juniper MLFR
    juniper-mlppp - Juniper MLPPP
    juniper-ppp - Juniper PPP
    juniper-pppoe - Juniper PPPoE
    juniper-st - Juniper Secure Tunnel Information
    juniper-svcs - Juniper Services
    juniper-vn - Juniper VN
    juniper-vp - Juniper Voice PIC
    k12 - K12 protocol analyzer
    lapb - LAPB
    lapd - LAPD
    layer1-event - EyeSDN Layer 1 event
    lin - Local Interconnect Network
    linux-atm-clip - Linux ATM CLIP
    linux-lapd - LAPD with Linux pseudo-header
    linux-sll - Linux cooked-mode capture v1
    linux-sll2 - Linux cooked-mode capture v2
    log_3GPP - 3GPP Phone Log
    logcat - Android Logcat Binary format
    logcat_brief - Android Logcat Brief text format
    logcat_long - Android Logcat Long text format
    logcat_process - Android Logcat Process text format
    logcat_tag - Android Logcat Tag text format
    logcat_thread - Android Logcat Thread text format
    logcat_threadtime - Android Logcat Threadtime text format
    logcat_time - Android Logcat Time text format
    loop - OpenBSD loopback
    loratap - LoRaTap
    ltalk - Localtalk
    mdb - MDB (Multi-Drop Bus)
    message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4
    message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6
    message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4
    message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6
    message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4
    message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6
    mime - MIME
    most - Media Oriented Systems Transport
    mp2ts - ISO/IEC 13818-1 MPEG2-TS
    mp4 - MP4 files
    mpeg - MPEG
    mtp2 - SS7 MTP2
    mtp2-with-phdr - MTP2 with pseudoheader
    mtp3 - SS7 MTP3
    mux27010 - MUX27010
    netanalyzer - Hilscher netANALYZER
    netanalyzer-transparent - Hilscher netANALYZER-Transparent
    netlink - Linux Netlink
    netmon_event - Network Monitor Network Event
    netmon_filter - Network Monitor Filter
    netmon_header - Network Monitor Header
    netmon_network_info - Network Monitor Network Info
    nfc-llcp - NFC LLCP
    nflog - NFLOG
    nordic_ble - nRF Sniffer for Bluetooth LE
    nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
    nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
    nstrace30 - NetScaler Encapsulation 3.0 of Ethernet
    nstrace35 - NetScaler Encapsulation 3.5 of Ethernet
    null - NULL/Loopback
    packetlogger - Apple Bluetooth PacketLogger
    pflog - OpenBSD PF Firewall logs
    pflog-old - OpenBSD PF Firewall logs, pre-3.4
    pktap - Apple PKTAP
    ppi - Per-Packet Information header
    ppp - PPP
    ppp-with-direction - PPP with Directional Info
    pppoes - PPP-over-Ethernet session
    raw-icmp-nettl - Raw ICMP with nettl headers
    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
    raw-telnet-nettl - Raw telnet with nettl headers
    rawip - Raw IP
    rawip-nettl - Raw IP with nettl headers
    rawip4 - Raw IPv4
    rawip6 - Raw IPv6
    redback - Redback SmartEdge
    rfc7468 - RFC 7468 file
    rtac-serial - RTAC serial-line
    ruby_marshal - Ruby marshal object
    s4607 - STANAG 4607
    s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)
    sccp - SS7 SCCP
    sctp - SCTP
    sdh - SDH
    sdjournal - systemd journal
    sdlc - SDLC
    silabs-dch - Silabs Debug Channel
    sita-wan - SITA WAN packets
    slip - SLIP
    socketcan - SocketCAN
    symantec - Symantec Enterprise Firewall
    tnef - Transport-Neutral Encapsulation Format
    tr - Token Ring
    tr-nettl - Token Ring with nettl headers
    tzsp - Tazmen sniffer protocol
    unknown - Unknown
    unknown-nettl - Unknown link-layer type with nettl headers
    usb-20 - USB 2.0/1.1/1.0 packets
    usb-20-full - Full-Speed USB 2.0/1.1/1.0 packets
    usb-20-high - High-Speed USB 2.0 packets
    usb-20-low - Low-Speed USB 2.0/1.1/1.0 packets
    usb-darwin - USB packets with Darwin (macOS, etc.) headers
    usb-freebsd - USB packets with FreeBSD header
    usb-linux - USB packets with Linux header
    usb-linux-mmap - USB packets with Linux header and padding
    usb-usbpcap - USB packets with USBPcap header
    user0 - USER 0
    user1 - USER 1
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    v5-ef - V5 Envelope Function
    vpp - Vector Packet Processing graph dispatch trace
    vsock - Linux vsock
    whdlc - Wellfleet HDLC
    wireshark-upper-pdu - Wireshark Upper PDU export
    wpan - IEEE 802.15.4 Wireless PAN
    wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
    wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
    wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header
    x2e-serial - X2E serial line capture
    x2e-xoraya - X2E Xoraya
    x25-nettl - X.25 with nettl headers
    xeth - Xerox 3MB Ethernet
    zbncp - ZBOSS NCP
    zwave-serial - Z-Wave Serial API packets