editcap

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
Edit Pcap

Edit packet captures after they have been taken
2 min |  Ross Jacobs |  March 3, 2019

Table of Contents

Quicklinks: manpage | Wireshark Docs | code


Packet manipulation: tshark vs. editcap

Editcap allows you to filter out packets with -A, -B, packet range selection [packet#-packet#] and inverted selection (-r). While tshark/editcap have the same functionality below, tshark is more explicit, which is better for maintainability.

editcap flags tshark flags
-A 2019-01-23 19:01:23 -Y "frame.time >= 1548270083"
-B 2019-01-23 19:01:23 -Y "frame.time <= 1548270083"
3-5 -Y "frame.number >= 3 and frame.number <= 5"
-r 3-5 -Y "frame.number < 3 or frame.number > 5
7 -Y "frame.number == 7"
-r 7 -Y "frame.number != 7"

Using tshark to filter by capture/display filter

In order to create a oneliner and pass the filtered file to editcap, you can create a temporary file:

tempfile=$(mktemp)
tshark -r dhcp.pcap -Y "dhcp.type == 1" -w $tempfile
editcap $tempfile dhcp2.pcap -a 1:"Cool story bro!"

This isn’t as elegant as reading from stdin, but editcap does not currently have this capability

tshark can be used to reduce packet size.

Fuzzing

editcap has several options to fuzz, including -E, -o, and –seed. You can use them in combination to randomly change a packet capture to fuzz it with your program. This can mimic the bit-flipping that will naturally occur on lossy mediums like 802.11.

Similar Articles

Date Article Author
2018-07-31 PCAP Split and Merge Jasper
2018-02-22 Split a large capture into smaller files Checkpoint
2011-04-11 Extracting Packets From Large Captures Packetlife
2009-02-26 Editcap, 11 examples Ramesh Natarajan