User Guide

ManualsBrandsWireshark ManualsSoftwareWireshark Wireshark - 1.5

221

222

223

224

225

226

227

228

229

230

Related command line tools

219

Example D.5. Help information available from editcap

$ editcap -h

Editcap 1.4.0

Edit and/or translate the format of capture files.

See http://www.wireshark.org for more information.

Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

<infile> and <outfile> must both be present.

A single packet or a range of packets can be selected.

Packet selection:

-r keep the selected packets; default is to delete them.

-A <start time> don't output packets whose timestamp is before the

given time (format as YYYY-MM-DD hh:mm:ss).

-B <stop time> don't output packets whose timestamp is after the

given time (format as YYYY-MM-DD hh:mm:ss).

Duplicate packet removal:

-d remove packet if duplicate (window == 5).

-D <dup window> remove packet if duplicate; configurable <dup window>

Valid <dup window> values are 0 to 1000000.

NOTE: A <dup window> of 0 with -v (verbose option) is

useful to print MD5 hashes.

-w <dup time window> remove packet if duplicate packet is found EQUAL TO OR

LESS THAN <dup time window> prior to current packet.

A <dup time window> is specified in relative seconds

(e.g. 0.000001).

NOTE: The use of the 'Duplicate packet removal' options with

other editcap options except -v may not always work as expected.

Specifically the -r and -t options will very likely NOT have the

desired effect if combined with the -d, -D or -w.

Packet manipulation:

-s <snaplen> truncate each packet to max. <snaplen> bytes of data.

-C <choplen> chop each packet at the end by <choplen> bytes.

-t <time adjustment> adjust the timestamp of each packet;

<time adjustment> is in relative seconds (e.g. -0.5).

-S <strict adjustment> adjust timestamp of packets if necessary to insure

strict chronological increasing order. The <strict

adjustment> is specified in relative seconds with

values of 0 or 0.000001 being the most reasonable.

A negative adjustment value will modify timestamps so

that each packet's delta time is the absolute value

of the adjustment specified. A value of -0 will set

all packets to the timestamp of the first packet.

-E <error probability> set the probability (between 0.0 and 1.0 incl.)

that a particular packet byte will be randomly changed.

Output File(s):

-c <packets per file> split the packet output to different files

based on uniform packet counts

with a maximum of <packets per file> each.

-i <seconds per file> split the packet output to different files

based on uniform time intervals

with a maximum of <seconds per file> each.

-F <capture type> set the output file type; default is libpcap.

an empty "-F" option will list the file types.

-T <encap type> set the output file encapsulation type;

default is the same as the input file.

an empty "-T" option will list the encapsulation types.

Miscellaneous:

-h display this help and exit.

-v verbose output.

If -v is used with any of the 'Duplicate Packet

Removal' options (-d, -D or -w) then Packet lengths

and MD5 hashes are printed to standard-out.