Editcap 工具用法

最新推荐文章于 2025-10-31 00:42:19 发布

转载最新推荐文章于 2025-10-31 00:42:19 发布 · 7.6k 阅读

文章标签：

#工具 #output #file #tcp #each #processing

编程综合专栏收录该内容

48 篇文章

订阅专栏

options:

-c <packets per file>

Splits the packet output to different files based on uniform packet counts with a maximum of <packets per file> each. Each output file will be created with a suffix -nnnnn, starting with 00000. If the specified number of packets is written to the output file, the next output file is opened. The default is to use a single output file.

-C <choplen>

Sets the chop length to use when writing the packet data. Each packet is chopped at the packet end by a few <choplen> bytes of data.

This is useful in the rare case that the conversion between two file formats leaves some random bytes at the end of each packet.

-d

Attempts to remove duplicate packets. The length and MD5 hash of the current packet are compared to the previous four (4) packets. If a match is found, the current packet is skipped. This option is equivalent to using the option -D 5 .

-D <dup window>

Attempts to remove duplicate packets. The length and MD5 hash of the current packet are compared to the previous <dup window> - 1 packets. If a match is found, the current packet is skipped.

The use of the option -D 0 combined with the -v option is useful in that each packet's Packet number, Len and MD5 Hash will be printed to standard out. This verbose output (specifically the MD5 hash strings) can be useful in scripts to identify duplicate packets across trace files.

The <dup window> is specifed as an integer value between 0 and 1000000 (inclusive).

NOTE: Specifying large <dup window> values with large tracefiles can result in very long processing times for editcap .

-w <dup time window>

Attempts to remove duplicate packets. The current packet's arrival time is compared with up to 1000000 previous packets. If the packet's relative arrival time is less than or equal to the <dup time window> of a previous packet and the packet length and MD5 hash of the current packet are the same then the packet to skipped. The duplicate comparison test stops when the current packet's relative arrival time is greater than <dup time window>.

The <dup time window> is specifed as seconds [.fractional seconds ].

The [.fractional seconds] component can be specified to nine (9) decimal places (billionths of a second) but most typical trace files have resolution to six (6) decimal places (millionths of a second).

NOTE: Specifying large <dup time window> values with large tracefiles can result in very long processing times for editcap .

NOTE: The -w option assumes that the packets are in chronological order. If the packets are NOT in chronological order then the -w duplication removal option may not identify some duplicates.

-E <error probability>

Sets the probabilty that bytes in the output file are randomly changed. Editcap uses that probability (between 0.0 and 1.0 inclusive) to apply errors to each data byte in the file. For instance, a probability of 0.02 means that each byte has a 2% chance of having an error.

This option is meant to be used for fuzz-testing protocol dissectors.

-F <file format>

Sets the file format of the output capture file. Editcap can write the file in several formats, editcap -F provides a list of the available output formats. The default is the libpcap format.

-A <start time>

Saves only the packets whose timestamp is on or after start time. The time is given in the following format YYYY-MM-DD HH:MM:SS

-B <stop time>

Saves only the packets whose timestamp is on or before stop time. The time is given in the following format YYYY-MM-DD HH:MM:SS

-h

Prints the version and options and exits.

-i <seconds per file>

Splits the packet output to different files based on uniform time intervals using a maximum interval of <seconds per file> each. Each output file will be created with a suffix -nnnnn, starting with 00000. If packets for the specified time interval are written to the output file, the next output file is opened. The default is to use a single output file.

-r

Reverse the packet selection. Causes the packets whose packet numbers are specified on the command line to be written to the output capture file, instead of discarding them.

-s <snaplen>

Sets the snapshot length to use when writing the data. If the -s flag is used to specify a snapshot length, packets in the input file with more captured data than the specified snapshot length will have only the amount of data specified by the snapshot length written to the output file.

This may be useful if the program that is to read the output file cannot handle packets larger than a certain size (for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject Ethernet packets larger than the standard Ethernet MTU, making them incapable of handling gigabit Ethernet captures if jumbo packets were used).

-t <time adjustment>

Sets the time adjustment to use on selected packets. If the -t flag is used to specify a time adjustment, the specified adjustment will be applied to all selected packets in the capture file. The adjustment is specified as [-]seconds [.fractional seconds ]. For example, -t 3600 advances the timestamp on selected packets by one hour while -t -0.5 reduces the timestamp on selected packets by one-half second.

This feature is useful when synchronizing dumps collected on different machines where the time difference between the two machines is known or can be estimated.

-T <encapsulation type>

Sets the packet encapsulation type of the output capture file. If the -T flag is used to specify an encapsulation type, the encapsulation type of the output capture file will be forced to the specified type. editcap -T provides a list of the available types. The default type is the one appropriate to the encapsulation type of the input capture file.

Note: this merely forces the encapsulation type of the output file to be the specified type; the packet headers of the packets will not be translated from the encapsulation type of the input capture file to the specified encapsulation type (for example, it will not translate an Ethernet capture to an FDDI capture if an Ethernet capture is read and '-T fddi ' is specified). If you need to remove/add headers from/to a packet, you will need od(1)/text2pcap(1).

-v

Causes editcap to print verbose messages while it's working.

Use of -v with the de-duplication switches of -d , -D or -w will cause all MD5 hashes to be printed whether the packet is skipped or not.

example:

To see more detailed description of the options use:

    editcap -h

To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:

    editcap -s 64 -F snoop capture.pcap shortcapture.snoop

To delete packet 1000 from the capture file use:

    editcap capture.pcap sans1000.pcap 1000

To limit a capture file to packets from number 200 to 750 (inclusive) use:

    editcap -r capture.pcap small.pcap 200-750

To get all packets from number 1-500 (inclusive) use:

    editcap -r capture.pcap first500.pcap 1-500

    editcap capture.pcap first500.pcap 501-9999999

To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:

    editcap capture.pcap exclude.pcap 1 5 10-20 30-40

To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:

    editcap -r capture.pcap select.pcap 1 5 10-20 30-40

To remove duplicate packets seen within the prior four frames use:

    editcap -d capture.pcap dedup.pcap

To remove duplicate packets seen within the prior 100 frames use:

    editcap -D 101 capture.pcap dedup.pcap

To remove duplicate packets seen equal to or less than 1/10th of a second:

    editcap -w 0.1 capture.pcap dedup.pcap

To display the MD5 hash for all of the packets (and NOT generate any real output file):

    editcap -v -D 0 capture.pcap /dev/null

or on Windows systems

    editcap -v -D 0 capture.pcap NUL

To introduce 5% random errors in a capture file use:

  editcap -E 0.05 capture.pcap capture_error.pcap

tcpdump 与  windump

大家都知道，unix系统下有个tcpdump的抓包工具，非常好用，是做troubleshooting的好帮手。其实在windows下也有一个类似的工作，叫windump，可以方便的根据需要进行抓包。下面我举几个常用例子介绍一下这个工具的使用方法。

1、windump –D 列出本机可供抓包的全部接口。

这个命令在本机有多个网卡时非常有用。比如，我的机器装有3块网卡，而我只抓第二块网卡上的包，那么我用windump –D列出机器上所有的网卡，再指定只抓第二块网卡的包，方法如下：

windump –D

windump –i 2(网卡序号)

2、windump –n 不解析主机名，直接显示抓包的主机IP地址。

3、windump –n host 192.168.1.2 只抓关于192.168.1.2主机的包（不管包的方向）。

4、windump –n host 192.168.1.2 and udp port 514 只抓关于主机192.168.1.2上udp协议端口为514的包。

同理，我也可以抓所有tcp协议23端口的包，命令如下：

windump –n host 192.168.1.2 and tcp port 23

或者，我只抓udp 514端口的包，不管ip是多少，命令如下：

windump –n udp port 514

5、windump –n net 133.160 抓133.160网段的包，不管包的方向。

取反 windump -n not net 133.136 或 windump -n net ! 133.136

同理，我也可以抓所有133.160网段的且tcp端口为3389的包，命令如下：

windump –n net 133.160 and tcp port 3389

windump -n dst net 133.123 #目标网段

6、windump –n host ! 133.191.1.1 抓所有非133.191.1.1有关的包。

同理，我要抓除了133.191.1.1之外的所有机器的tcp端口为3389的包，命令如下：

windump –n host ! 133.191.1.1 and tcp port 3389

7、windump –n dst host 133.191.1.1 抓所有发送到133.191.1.1的包。

同理，可以用and 或or参数，如：

windump –n dst host 133.191.1.1 ort src host 101.1.1.1

windump -r "d:/file.pcap" -w "d:/asu/out.pcap" ip host 193.15.13.1 and tcp port 49

http://www.tcpdump.org/tcpdump_man.html

EXAMPLES

To print all packets arriving at or departing from sundown
:

tcpdump host sundown

To print traffic between helios
 and either hot
 or ace
:

tcpdump host helios and /( hot or ace /)

To print all IP packets between ace
 and any host except helios
:

tcpdump ip host ace and not helios

To print all traffic between local hosts and hosts at Berkeley:

tcpdump net ucb-ether

To print all ftp traffic through internet gateway snup
: (note that the expression is quoted to prevent the shell from (mis-)interpreting the parentheses):

tcpdump 'gateway snup and (port ftp or ftp-data)'

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other net, this stuff should never make it onto your local net).

tcpdump ip and not net 
localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host.

tcpdump 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net 
localnet
'

To print all IPv4 HTTP packets to and from port 80, i.e. print only packets that contain data, not, for example, SYN and FIN packets and ACK-only packets. (IPv6 is left as an exercise for the reader.)

tcpdump 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'

To print IP packets longer than 576 bytes sent through gateway snup
:

tcpdump 'gateway snup and ip[2:2] > 576'

To print IP broadcast or multicast packets that were not
 sent via Ethernet broadcast or multicast:

tcpdump 'ether[0] & 1 = 0 and ip[16] >= 224'

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

tcpdump 'icmp[icmptype] != icmp-echo and icmp[icmptype] != icmp-echoreply'

Mergecap useage:

http://www.wireshark.org/docs/man-pages/mergecap.html

mergecap - Merges two or more capture files into one
 
mergecap
 [ -a
 ] [ -F
 <file format
> ] [ -h
 ] [ -s
 <snaplen
> ] [ -T
 <encapsulation type
> ] [ -v
 ] -w
 <outfile
>|- <infile
> ...


a+b=outfile: