Command-line utility for working with capture files - remove packets, convert capture files from one format to another,print information about capture files.
Questions tagged [editcap]
24 questions
15
votes
1 answer
Filter a pcap dump file for a specific time range
Is there any easy way to create a pcap file for the packets related to a specific datetime range maybe using tshark, tcpdump or another commandline tool?
tshark -R with frame.time seems promising but I haven't been able to work that out…
Filippo Vitale
- 7,597
- 3
- 58
- 64
2
votes
1 answer
Filter first ten minutes of pcap
I have a large pcap file, and I would like to generate a new pcap that contains only the first ten minutes of traffic. Can I do this with tcpdump? I have seen editcap mentioned online, but I would like to use tcpdump if possible.
Alex Parker
- 1,533
- 3
- 16
- 38
1
vote
1 answer
How to execute editcap with options and parameters inside a python script?
I am trying to execute an editcap command inside a python script. Usually, I do it in cmd, but I want to include it in my python script.
editcap –c 10000 C:\Users\Administrator\Desktop\C_datasets\sa1.pcap…
afaq
- 111
- 2
1
vote
1 answer
Insert, Remove and Modify bytes from packet of Pcap file in linux
I require a way to insert, remove or modify the hex data bytes in the packet of a pcap file. Is there a tshark command or any other method to do this.
00292c0: 900b 0000 0018 5a82 5a82 a57e 5a82 a57e ......Z.Z..~Z..~
00292d0: a57e a57e 5a82 5a82…
Sukshith Shetty
- 21
- 2
- 4
1
vote
1 answer
How to convert Microsoft Network Monitor `.cap` file to `.pcap` or `pcapng`?
When I tried to use editcap to convert .cap to .pcap, I got:
'editcap: The capture file being read can't be written as a ".pcap" file.'
The .cap file generated by Microsoft Network Monitor looks very special, which contains application and other…
bbin guo
- 13
- 1
- 4
1
vote
0 answers
Why is there data loss on using editcap "-d"?
I used editcap with option "-d" on a large pcapng file to delete duplicate packets (source file 11GB, new file 5 GB). After that, i extracted all contained files from both pcapng-files (with Networkminer free). I assumed there would be no data…
Tex
- 29
- 6
1
vote
1 answer
How to modify the timestamp range of a .pcap file?
Problem
I need to modify a .pcap file captured over a timespan of 5 minutes such that it simulates a .pcap file captured over a timespan of 20 minutes. The problem is that I don't know how to do this.
Example
To illustrate the problem, suppose I…
Thijs van Ede
- 78
- 1
- 8
1
vote
1 answer
Unable to do tcpreplay of edited wireshark file
what I did -
Got a wireshark capture of web traffic.
Edited the capture file to remove one GET request. (removed that line using editcap)
Saved the edited file (from step 2)
Did a tcpreplay of this file.
When I do this, I get an error: Fatal…
Omi
- 976
- 2
- 20
- 35
1
vote
3 answers
extract specific timestamp period in pcap files
i have one big pcap files and my objective is to extract only certain timestamp period of the traces (for example, the dataset time start from 0 to 200, but i only want between 50 - 100 seconds).
i tried to use editcap tools and use this command
…
user3085445
- 95
- 2
- 10
0
votes
1 answer
editcap adjust the time of specific frames
I have a .pcap file where I want to keep the timestamp of the first frame but adjust the time for every other frame. According to the man page it would seem that you can only adjust the time of every frame, not specific ones. Is there some way to…
Eric Pereira
- 1
- 1
0
votes
3 answers
Remove trailer timestamp from the captured packets
I have a packet capture captured through a special switch that appends timestamps just before FCS. These are generally referred as "trailer timestamps".
However, after doing so, the FCS at the end of the packet is not updated. Hence, when i load the…
Sandeep
- 18,356
- 16
- 68
- 108
0
votes
1 answer
editcap -A and -B: using timestamp with nanoseconds example
I'm trying to get editcap to use a timestamp with nanoseconds, but I am unable to do this.
sample timestamp: 2022-01-23 23:10:05.237000000Z
TZ=UTC editcap -A '2022-01-23 23:10:05.237000000Z' -F nseclibpcap
Silentterms
- 41
- 1
0
votes
1 answer
How to tell what file a packet came from after files merged
I am dealing with a large number of pcap files from numerous collection sources. I need to programmatically filter and I am using tshark for that, so I am merging all the files together first using mergecap. The problem with that is I also need…
Greysquall
- 48
- 3
0
votes
1 answer
How to add a comment to all packets in numerous pcap files before merging into a single file
I'm trying to merge numerous pcap files together for post-processing after capture, however, I need to retain information about the source file of each packet (the file name contains information about the network tap source). This information isn't…
Greysquall
- 48
- 3
0
votes
1 answer
editcap -A and -B: what time zone should I use?
I need to extract packets within certain time ranges from a large pcap. And I found editcap's -A and -B option a perfect fit for this task except my target time ranges are in epoch time and -A/B requires time in format YYYY-MM-DD HH:MM:SS.
My…
hguo
- 5
- 2