Editcap Guide: 11 Examples To Handle Network Packet Dumps Effectively

by Ramesh Natarajan on February 26, 2009

Network Switch with Ethernet Cables
Photo courtesy of Michael_P

This article is written by Balakrishnan M
 
Editcap utility is used to select or remove specific packets from dump file and translate them into a given format. Editcap does not perform packet captures like ethereal. Instead, it operates on the captured packets and writes some of the required packets into another file. We can pass various options to editcap to get our preferred packets.

In this article, let us review 11 practical examples on how-to use editcap to handle the packet dumps effectively.

Primary Purpose of editcap

Following are the main reason to use editcap command.

  • Divide a dump file into multiple files.
  • Select only the required packets.
  • Translate the capture file from one format to another.
  • Ability to read from a compressed dump file.
  • Make the job easier for network analyzer tool by loading only selective packets, instead of loading whole dump.
  • All feature results in less time consumption when processing or analyzing packets.


Let us assume the scenario where you have to analyze only some specific packet types in a huge dump file. In this situation, we cant use the network packet analyzer (wireshark or ethereal) to load the huge dump file in a single shoh, as it will be a CPU intensive process and the system may hang. Editicap utility makes the job easier by giving only relevant packets, so it could be loaded by network analyzer tool in quick time.

editcap is available in the wireshark package. Make sure wireshark/ethereal package is installed to use the editcap.
 

11 Practical Examples Of edicap Usage

Example 1: Discard set of packets from the beginning of input_dump file

The output_dump file will contain all packets except the first 10 packets.

# editcap -v input_dump output_dump 1-10

Example 2: Discard set of packets from the middle of input_dump file

The output_dump file will contain all packets except packets from 200 to 210.

# editcap -v input_dump output_dump 200-210

Example 3: Select multiple range of packets (from beginning and middle)

The output_dump file will contain first 10 packets and packets from 100 and 200.

# editcap -r  -v input_dump output_dump 1-10  100-200

Example 4: Change the encapsulation type of the capture file using option -T

By default the encapsulation type of the dump file is ether. The example below, translates the capture file into ieee-802-11-bsd format

# editcap -v -T  ieee-802-11-radiotap input_dump output_dump

Example 5: Process the compressed input_dump files

editcap automatically detects the compressed capture file formats. Currently it supports for the gzip format. In the example below, it takes packets from the compressed input file and writes the first 10 packets and the packets in-between 100 and 200 into the output_dump file.

# editcap -r -v input_dump.gz output_dump 1-10 100-200

Example 6: Extract packets between a specific timeperiod using option -A and -B

This example create the output_dump, which contains the packets that are captured between the time mentioned in option A and the time mentioned in option B.

# editcap -v -A "2009-02-11 11:26:30" -B "2009-02-11 11:27:00"  input_dump output_dump

Example 7: Change packet’s timestamp (reduce or advance) using option -t

To advances the timestamp of packets to one hour.

# editcap -t 3600 input_dump output_dump


To reduces the timestamp of packets to 30 minutes,

# editcap -t -1800 input_dump output_dump

Example 8: Remove duplicate packets from the output_dump file using option -d

The example below looks back the previous frames to find the duplication. Finally it gives the dump which does not contain duplication.

# editcap -v -d input_dump output_dump

Example 9: Truncate the packets to the specific length using option -s

Produces the ouptut_dump file with packets length limited to 100. This can be very helpful under lot of situations. For example, you can use this method if you want to get only the IP layer of all the packets and does not require other layer.

# editcap -s 100 -v -A "2009-02-11 11:26:30" -B "2009-02-11 11:27:00"  input_dump.gz output_dump

Example 10: Divide input_dump file into multiple files using option -c

Divide the single dump into multiple file and each contains specified number of packets.

# editcap -v -c 1000 input_dump output

 
If the input_dump contains 5000 packets, editcap will generate the following 5 different output files.

output-00000 
output-00001    
output-00002
output-00003
output-00004

Example 11: Remove certain bytes from the bottom of all packets using option -C

This example removes 10 bytes from every packets and writes into the output file. You can confirm this, by viewing the output file in wireshark, the frame layer of every packet will show “50 bytes bytes on wire, 40 bytes captured” (here the actual size of a packet is 50 bytes).

# editcap -C 10 input_dump output

 
This article was written by Balakrishnan Mariyappan. He is working in bk Systems (p) Ltd, and interested in contributing to the open source. The Geek Stuff welcomes your tips and guest articles.


Linux Sysadmin Course Linux provides several powerful administrative tools and utilities which will help you to manage your systems effectively. If you don’t know what these tools are and how to use them, you could be spending lot of time trying to perform even the basic administrative tasks. The focus of this course is to help you understand system administration tools, which will help you to become an effective Linux system administrator.
Get the Linux Sysadmin Course Now!

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 3 comments… read them below or add one }

1 Gaurav May 21, 2009 at 8:36 am

You are great man, your article helped when i needed it the most !

Now thats help…

cool.. keep it up…

do write more articles. love ‘em… !!!

2 Anonymous July 23, 2012 at 8:35 pm

thank you,great

3 Anonymous May 28, 2013 at 2:03 pm

It may be worth noting – the default output of the pcap files seems to be File type: Wireshark – pcapng. This is different from the input file I used – which was File type: Wireshark/tcpdump/… – libpcap. I had to re-run the edit file with the switch added ‘-F libpcap’ in order to make it to output the same format. (I am feeding these into scapy and scapy didn’t like the pcapng format). As a side note, I am testing the file format with capinfos.exe (bundled with WireShark along with editcap).

Leave a Comment

Previous post:

Next post: