Quicklinks: manpage | Wireshark Docs | code
Editcap allows you to filter out packets with -A, -B, packet range selection [packet#-packet#] and inverted selection (-r). While tshark/editcap have the same functionality below, tshark is more explicit, which is better for maintainability.
| editcap flags | tshark flags |
|---|---|
-A 2019-01-23 19:01:23 |
-Y "frame.time >= 1548270083" |
-B 2019-01-23 19:01:23 |
-Y "frame.time <= 1548270083" |
3-5 |
-Y "frame.number >= 3 and frame.number <= 5" |
-r 3-5 |
-Y "frame.number < 3 or frame.number > 5 |
7 |
-Y "frame.number == 7" |
-r 7 |
-Y "frame.number != 7" |
In order to create a oneliner and pass the filtered file to editcap, you can create a temporary file:
tempfile=$(mktemp)
tshark -r dhcp.pcap -Y "dhcp.type == 1" -w $tempfile
editcap $tempfile dhcp2.pcap -a 1:"Cool story bro!"
This isn’t as elegant as reading from stdin, but editcap does not currently have this capability
tshark can be used to reduce packet size.
editcap has several options to fuzz, including -E, -o, and –seed. You can use them in combination to randomly change a packet capture to fuzz it with your program. This can mimic the bit-flipping that will naturally occur on lossy mediums like 802.11.
| Date | Article | Author |
|---|---|---|
| 2018-07-31 | PCAP Split and Merge | Jasper |
| 2018-02-22 | Split a large capture into smaller files | Checkpoint |
| 2011-04-11 | Extracting Packets From Large Captures | Packetlife |
| 2009-02-26 | Editcap, 11 examples | Ramesh Natarajan |