Linux command
editcap 命令
文本
复制后可按需替换文件名、目录或参数。
常用示例
Extract packets by range
editcap -r [input.pcap] [output.pcap] [1-100]
Remove duplicate packets
editcap -d [input.pcap] [output.pcap]
Split by packet count
editcap -c [1000] [input.pcap] [output.pcap]
Split by duration
editcap -i [60] [input.pcap] [output.pcap]
Convert format
editcap -F [pcapng] [input.pcap] [output.pcapng]
Change snap length
editcap -s [128] [input.pcap] [output.pcap]
说明
editcap is a packet capture file editor from the Wireshark suite. It reads capture files and writes portions or modified versions to new files, supporting format conversion, packet selection, and time adjustments. Common uses include splitting large captures, removing duplicates, extracting time ranges, and converting between capture formats like pcap and pcapng.
参数
- -r _range_
- Keep only packets in range.
- -d
- Remove duplicate packets.
- -D _window_
- Duplicate window (default 5).
- -c _count_
- Split into files of count packets.
- -i _seconds_
- Split by time interval.
- -F _format_
- Output file format.
- -s _snaplen_
- Truncate packets to length.
- -t _adjustment_
- Adjust timestamps.
- -S _offset_
- Set start time.
- -A _time_
- Keep packets after time.
- -B _time_
- Keep packets before time.
- -T _type_
- Set encapsulation type.
FAQ
What is the editcap command used for?
editcap is a packet capture file editor from the Wireshark suite. It reads capture files and writes portions or modified versions to new files, supporting format conversion, packet selection, and time adjustments. Common uses include splitting large captures, removing duplicates, extracting time ranges, and converting between capture formats like pcap and pcapng.
How do I run a basic editcap example?
Run `editcap -r [input.pcap] [output.pcap] [1-100]` in a terminal, then adjust file names, paths, flags, or remote targets for your system.
What does -r _range_ do in editcap?
Keep only packets in range.