Book Image

Wireshark Essentials

Book Image

Wireshark Essentials

Overview of this book

Table of Contents (15 chapters)
Wireshark Essentials
About the Author
About the Reviewers

Editing trace files with Editcap

You can use Editcap to split a trace file that is too large to work with in Wireshark into multiple smaller files, extract a subset of a trace file based on a start and stop time, alter timestamps, remove duplicate packets, and a number of other useful functions.

Type editcap –h in the command prompt for a list of options. The syntax to extract a single packet or a range of packets by packet numbers is as follows:

editcap  –r  <infile>  <outfile>  <packet#> [- <packet#>]

You must specify <infile> and <outfile>. The –r specifies to keep, not delete, the specified packet or packet range, for example:

editcap  –r  MergedTraces.pcapng   packetrange.pcapng   1-5000

You can split a source trace file into multiple sequential files, each containing the number of packets specified by the –c option:

editcap  –c 5000  MergedTraces.pcapng   SplitTrace.pcapng

You can eliminate duplicate packets in a file within a five-packet proximity...