editcap的使用
1 editcap.exe -h 2 Editcap (Wireshark) 2.4.1 (v2.4.1-0-gf42a0d2b6c) 3 Edit and/or translate the format of capture files. 4 See https://www.wireshark.org for more information. 5 6 Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ] 7 8 <infile> and <outfile> must both be present. 9 A single packet or a range of packets can be selected. 10 11 Packet selection: 12 -r keep the selected packets; default is to delete them. 13 -A <start time> only output packets whose timestamp is after (or equal 14 to) the given time (format as YYYY-MM-DD hh:mm:ss). 15 -B <stop time> only output packets whose timestamp is before the 16 given time (format as YYYY-MM-DD hh:mm:ss). 17 18 Duplicate packet removal: 19 --novlan remove vlan info from packets before checking for dupli 20 cates. 21 -d remove packet if duplicate (window == 5). 22 -D <dup window> remove packet if duplicate; configurable <dup window>. 23 Valid <dup window> values are 0 to 1000000. 24 NOTE: A <dup window> of 0 with -v (verbose option) is 25 useful to print MD5 hashes. 26 -w <dup time window> remove packet if duplicate packet is found EQUAL TO OR 27 LESS THAN <dup time window> prior to current packet. 28 A <dup time window> is specified in relative seconds 29 (e.g. 0.000001). 30 -a <framenum>:<comment> Add or replace comment for given frame number 31 32 -I <bytes to ignore> ignore the specified number of bytes at the beginning 33 of the frame during MD5 hash calculation, unless the 34 frame is too short, then the full frame is used. 35 Useful to remove duplicated packets taken on 36 several routers (different mac addresses for 37 example). 38 e.g. -I 26 in case of Ether/IP will ignore 39 ether(14) and IP header(20 - 4(src ip) - 4(dst ip)). 40 41 NOTE: The use of the 'Duplicate packet removal' options with 42 other editcap options except -v may not always work as expected. 43 Specifically the -r, -t or -S options will very likely NOT have the 44 desired effect if combined with the -d, -D or -w. 45 46 Packet manipulation: 47 -s <snaplen> truncate each packet to max. <snaplen> bytes of data. 48 -C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values 49 chop at the packet beginning, negative values at the 50 packet end. If an optional offset precedes the length, 51 then the bytes chopped will be offset from that value. 52 Positive offsets are from the packet beginning, 53 negative offsets are from the packet end. You can use 54 this option more than once, allowing up to 2 chopping 55 regions within a packet provided that at least 1 56 choplen is positive and at least 1 is negative. 57 -L adjust the frame (i.e. reported) length when chopping 58 and/or snapping. 59 -t <time adjustment> adjust the timestamp of each packet. 60 <time adjustment> is in relative seconds (e.g. -0.5). 61 -S <strict adjustment> adjust timestamp of packets if necessary to ensure 62 strict chronological increasing order. The <strict 63 adjustment> is specified in relative seconds with 64 values of 0 or 0.000001 being the most reasonable. 65 A negative adjustment value will modify timestamps so 66 that each packet's delta time is the absolute value 67 of the adjustment specified. A value of -0 will set 68 all packets to the timestamp of the first packet. 69 -E <error probability> set the probability (between 0.0 and 1.0 incl.) that 70 a particular packet byte will be randomly changed. 71 -o <change offset> When used in conjunction with -E, skip some bytes from 72 the 73 beginning of the packet. This allows one to preserve so 74 me 75 bytes, in order to have some headers untouched. 76 77 Output File(s): 78 -c <packets per file> split the packet output to different files based on 79 uniform packet counts with a maximum of 80 <packets per file> each. 81 -i <seconds per file> split the packet output to different files based on 82 uniform time intervals with a maximum of 83 <seconds per file> each. 84 -F <capture type> set the output file type; default is pcapng. An empty 85 "-F" option will list the file types. 86 -T <encap type> set the output file encapsulation type; default is the 87 same as the input file. An empty "-T" option will 88 list the encapsulation types. 89 90 Miscellaneous: 91 -h display this help and exit. 92 -v verbose output. 93 If -v is used with any of the 'Duplicate Packet 94 Removal' options (-d, -D or -w) then Packet lengths 95 and MD5 hashes are printed to standard-error. 96
97 98 editcap.exe -F 99 editcap.exe: option requires an argument -- 'F' 100 editcap: The available capture file types for the "-F" flag are: 101 5views - InfoVista 5View capture 102 btsnoop - Symbian OS btsnoop 103 commview - TamoSoft CommView 104 dct2000 - Catapult DCT2000 trace (.out format) 105 erf - Endace ERF capture 106 eyesdn - EyeSDN USB S0/E1 ISDN trace format 107 k12text - K12 text file 108 lanalyzer - Novell LANalyzer 109 logcat - Android Logcat Binary format 110 logcat-brief - Android Logcat Brief text format 111 logcat-long - Android Logcat Long text format 112 logcat-process - Android Logcat Process text format 113 logcat-tag - Android Logcat Tag text format 114 logcat-thread - Android Logcat Thread text format 115 logcat-threadtime - Android Logcat Threadtime text format 116 logcat-time - Android Logcat Time text format 117 modpcap - Modified tcpdump - pcap 118 netmon1 - Microsoft NetMon 1.x 119 netmon2 - Microsoft NetMon 2.x 120 nettl - HP-UX nettl trace 121 ngsniffer - Sniffer (DOS) 122 ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 123 ngwsniffer_2_0 - Sniffer (Windows) 2.00x 124 niobserver - Network Instruments Observer 125 nokiapcap - Nokia tcpdump - pcap 126 nsecpcap - Wireshark/tcpdump/... - nanosecond pcap 127 nstrace10 - NetScaler Trace (Version 1.0) 128 nstrace20 - NetScaler Trace (Version 2.0) 129 nstrace30 - NetScaler Trace (Version 3.0) 130 nstrace35 - NetScaler Trace (Version 3.5) 131 pcap - Wireshark/tcpdump/... - pcap 132 pcapng - Wireshark/... - pcapng 133 rf5 - Tektronix K12xx 32-bit .rf5 format 134 rh6_1pcap - RedHat 6.1 tcpdump - pcap 135 snoop - Sun snoop 136 suse6_3pcap - SuSE 6.3 tcpdump - pcap 137 visual - Visual Networks traffic capture
editcap是Wireshark的一个组件,在Windows平台下,只要完成Wireshark的安装,就可以在安装目录中看到editcap.exe。editcap.exe需要在命令行中使用。
对于用Endace DAG捕捉卡捕获的数据包,一般来说,都是erf格式的。ERF格式全称是Extensible Record Format,具体格式参见http://wiki.wireshark.org/ERF。可以看到,这和pcap文件格式是完全不同的,一般来说,ERF格式的文件包含更多的链路层的信息。
但是大多数情况下,我们基于wireshark源码改写的程序都只能读取pcap文件,所以我们更希望能将ERF文件转为pcap文件。这时我们就可以使用editcap命令来完成这个工作。
首先举一个最简单的例子,使用下面的命令可以直接将erf文件转换为pcap文件。
1 editcap.exe -F pcap -T ether erf-ethernet-example.erf erf-ethernet-example.pcap
下面介绍一下editcap的各种参数。
1、-F <file format> 上面刚刚用到的。指定输出文件的格式,使用 editcap -F 命令可以列出所有支持的格式。我们要pcap,那就写pcap呗。此外,在linux平台下转化为pcap文件时,应当使用 "libpcap" 关键字,记得要先安装libpcap库啊。
2、-T <encapsulation format> 上面也用到。这个是指包装类型,使用 editcap -T 命令可以列出所有支持的格式。所谓包装类型,就是指你需要让数据部分包含从哪一层开始的数据,ether那就是链路层的(以太网),ip就是网络层的,tcp什么的也是可以的啦。
3、-s <snaplen> 这是个类似于tcpdump的功能,后边接变量snaplen使用,就是指截断长度了,这个不是从数据部分开始截,而是从数据部分中,ethernet/ip header/tcp header部分往后的有效负载(payload)部分往后截的。
4、-c <packet per file> 这是个碉堡了的功能,有些人搞不动太大的包,比如某些数据集,提供的数据文件动辄2G起,一次处理不了怎么办?用-c命令就OK了。每个文件指定一定数量的包,存够了就写到下一个文件里。这些文件的具体的命名方式是,在你指定的文件名之后加入数字后缀。
5、-C <choplen> 这又是个碉堡了的功能,可以直接从数据包上切一截子下来。字面意思已经很明显了,chop就是剁,剁掉数据包中间的一段。按照editcap命令给出的在线文档中举的例子,使用这个命令可以很轻松的搞定那些携带802.1q的VLAN tag的包,切掉数据包的第12-15个字节(共4字节)就OK了,切掉之后对别的数据都不影响,就跟没存在过一样。具体命令是
1 editcap -L -C 12:4 capture_vlan.pcap capture_no_vlan.pcap
至于-C的参数,变化更是多得很,这里暂时就不展开了。不过不幸的是,好像老版本的-C命令不支持带冒号的参数,就比如上面这个例子。
6、-A <start time>/-B <stop time> 指定开始时间和结束时间。这个有点像Linux下的某个命令(查证后补上具体是哪个),不过更形象。-A指定开始时间,-B指定结束时间,录音机我们都用过,这样联想一下就简单了。具体的时间可以使用YYYY-MM-DD HH:MM:SS格式来指定。
7、-D <dup window>/-w <dup time window> 用来尝试除去记录文件中的重复包,-D中的dup window参数指定向前检查的包的个数,-w中的dup time window指定向前检查的时间的长度。
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
editcap -s 64 -F snoop capture.pcap shortcapture.snoop
To delete packet 1000 from the capture file use:
editcap capture.pcap sans1000.pcap 1000
To limit a capture file to packets from number 200 to 750 (inclusive) use:
editcap -r capture.pcap small.pcap 200-750
To get all packets from number 1-500 (inclusive) use:
editcap -r capture.pcap first500.pcap 1-500
or
editcap capture.pcap first500.pcap 501-9999999
To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
editcap capture.pcap exclude.pcap 1 5 10-20 30-40
To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
editcap -r capture.pcap select.pcap 1 5 10-20 30-40
To remove duplicate packets seen within the prior four frames use:
editcap -d capture.pcap dedup.pcap
To remove duplicate packets seen within the prior 100 frames use:
editcap -D 101 capture.pcap dedup.pcap
To remove duplicate packets seen equal to or less than 1/10th of a second:
editcap -w 0.1 capture.pcap dedup.pcap
To display the MD5 hash for all of the packets (and NOT generate any real output file):
editcap -v -D 0 capture.pcap /dev/null
or on Windows systems
editcap -v -D 0 capture.pcap NUL
To introduce 5% random errors in a capture file use:
editcap -E 0.05 capture.pcap capture_error.pcap
