Editcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)

editcap [ -a <frame:comment> ] [ -A <start time> ] [ -B <stop time> ] [ -c <packets per file> ] [ -C [offset:]<choplen> ] [ -E <error probability> ] [ -F <file format> ] [ -i <seconds per file> ] [ -o <change offset> ] [ -L ] [ -r ] [ -s <snaplen> ] [ -S <strict time adjustment> ] [ -t <time adjustment> ] [ -T <encapsulation type> ] [ -V ] [ --inject-secrets <secrets type>,<file> ] [ --discard-all-secrets ] [ --capture-comment <comment> ] [ --discard-capture-comment ] infile outfile [ packet#[-packet#] … ]
editcap -d -D <dup window> -w <dup time window> [ -V ] [ -I <bytes to ignore> ] [ --skip-radiotap-header ] infile outfile
editcap -h|--help
editcap -v|--version

$ editcap
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
<infile> and <outfile> must both be present; use '-' for stdin or stdout.A single packet or a range of packets can be selected.
Packet selection:  -r                     keep the selected packets; default is to delete them.  -A <start time>        only read packets whose timestamp is after (or equal                         to) the given time.  -B <stop time>         only read packets whose timestamp is before the                         given time.                         Time format for -A/-B options is                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]                         Unix epoch timestamps are also supported.
Duplicate packet removal:  --novlan               remove vlan info from packets before checking for duplicates.  -d                     remove packet if duplicate (window == 5).  -D <dup window>        remove packet if duplicate; configurable <dup window>.                         Valid <dup window> values are 0 to 1000000.                         NOTE: A <dup window> of 0 with -V (verbose option) is                         useful to print MD5 hashes.  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR                         LESS THAN <dup time window> prior to current packet.                         A <dup time window> is specified in relative seconds                         (e.g. 0.000001).           NOTE: The use of the 'Duplicate packet removal' options with           other editcap options except -V may not always work as expected.           Specifically the -r, -t or -S options will very likely NOT have the           desired effect if combined with the -d, -D or -w.  --skip-radiotap-header skip radiotap header when checking for packet duplicates.                         Useful when processing packets captured by multiple radios                         on the same channel in the vicinity of each other.
Packet manipulation:  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values                         chop at the packet beginning, negative values at the                         packet end. If an optional offset precedes the length,                         then the bytes chopped will be offset from that value.                         Positive offsets are from the packet beginning,                         negative offsets are from the packet end. You can use                         this option more than once, allowing up to 2 chopping                         regions within a packet provided that at least 1                         choplen is positive and at least 1 is negative.  -L                     adjust the frame (i.e. reported) length when chopping                         and/or snapping.  -t <time adjustment>   adjust the timestamp of each packet.                         <time adjustment> is in relative seconds (e.g. -0.5).  -S <strict adjustment> adjust timestamp of packets if necessary to ensure                         strict chronological increasing order. The <strict                         adjustment> is specified in relative seconds with                         values of 0 or 0.000001 being the most reasonable.                         A negative adjustment value will modify timestamps so                         that each packet's delta time is the absolute value                         of the adjustment specified. A value of -0 will set                         all packets to the timestamp of the first packet.  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that                         a particular packet byte will be randomly changed.  -o <change offset>     When used in conjunction with -E, skip some bytes from the                         beginning of the packet. This allows one to preserve some                         bytes, in order to have some headers untouched.  --seed <seed>          When used in conjunction with -E, set the seed to use for                         the pseudo-random number generator. This allows one to                         repeat a particular sequence of errors.  -I <bytes to ignore>   ignore the specified number of bytes at the beginning                         of the frame during MD5 hash calculation, unless the                         frame is too short, then the full frame is used.                         Useful to remove duplicated packets taken on                         several routers (different mac addresses for                         example).                         e.g. -I 26 in case of Ether/IP will ignore                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).  -a <framenum>:<comment> Add or replace comment for given frame number
Output File(s):  -c <packets per file>  split the packet output to different files based on                         uniform packet counts with a maximum of                         <packets per file> each.  -i <seconds per file>  split the packet output to different files based on                         uniform time intervals with a maximum of                         <seconds per file> each.  -F <capture type>      set the output file type; default is pcapng.                         An empty "-F" option will list the file types.  -T <encap type>        set the output file encapsulation type; default is the                         same as the input file. An empty "-T" option will                         list the encapsulation types.  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List                         supported secret types with "--inject-secrets help".  --discard-all-secrets  Discard all decryption secrets from the input file                         when writing the output file.  Does not discard                         secrets added by "--inject-secrets" in the same                         command line.  --capture-comment <comment>                         Add a capture file comment, if supported.  --discard-capture-comment                         Discard capture file comments from the input file                         when writing the output file.  Does not discard                         comments added by "--capture-comment" in the same                         command line.
Miscellaneous:  -h, --help             display this help and exit.  -V                     verbose output.                         If -V is used with any of the 'Duplicate Packet                         Removal' options (-d, -D or -w) then Packet lengths                         and MD5 hashes are printed to standard-error.  -v, --version          print version information and exit.

$ capinfos test.pcapngFile name:           test.pcapngFile type:           Wireshark/... - pcapngFile encapsulation:  EthernetFile timestamp precision:  microseconds (6)Packet size limit:   file hdr: (not set)Number of packets:   20 kFile size:           9213 kBData size:           8530 kBCapture duration:    37.528437 secondsFirst packet time:   2021-08-15 21:34:27.791910Last packet time:    2021-08-15 21:35:05.320347Data byte rate:      227 kBpsData bit rate:       1818 kbpsAverage packet size: 419.22 bytesAverage packet rate: 542 packets/sSHA256:              03cdf99c02a73c3a0ada4f857eaffa587fd78d081cc8cd4e0c7b79f1587086faRIPEMD160:           78696db33a42825bb42a7c63d0fc6053cc88e851SHA1:                7c9d9db15cfa4c237c16289862e9b1cde08a760fStrict time order:   FalseCapture hardware:    Intel(R) Xeon(R) Gold 6226R CPU @ 2.90GHz (with SSE4.2)Capture oper-sys:    64-bit Windows 10 (1809), build 17763Capture application: Dumpcap (Wireshark) 3.4.7 (v3.4.7-0-ge42cbf6a415f)Capture comment:     testNumber of interfaces in file: 1Interface #0 info:                     Name = DeviceNPF_{15DAC5F9-EEF5-4A7E-A590-E0968FC225A4}                     Description = Ethernet0                     Encapsulation = Ethernet (1 - ether)                     Capture length = 262144                     Time precision = microseconds (6)                     Time ticks per second = 1000000                     Time resolution = 0x06                     Operating system = 64-bit Windows 10 (1809), build 17763                     Number of stat entries = 1                     Number of packets = 20348

Packet selection:  -r                     keep the selected packets; default is to delete them.  -A <start time>        only read packets whose timestamp is after (or equal                         to) the given time.  -B <stop time>         only read packets whose timestamp is before the                         given time.                         Time format for -A/-B options is                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]                         Unix epoch timestamps are also supported.

                             $ editcap -r test.pcapng test1.pcapng 1-10保留 test.pcapng 中 1#-10# 的数据包，然后保存为 test1.pcapng

$ editcap -r test.pcapng test1.pcapng 10保留 test.pcapng 中 10# 的数据包，然后保存为 test1.pcapng

$ editcap -A "2021-08-15 21:35:00" test.pcapng test1.pcapng从 test.pcapng 中读取指定时间之后的数据包，然后保存为 test1.pcapng

$ editcap -B "2021-08-15 21:35:00" test.pcapng test1.pcapng从 test.pcapng 中读取指定时间之前的数据包，然后保存为 test1.pcapng

$ editcap -A "2021-08-15 21:34:30" -B "2021-08-15 21:35:00" test.pcapng test1.pcapng从 test.pcapng 中读取指定时间前后的数据包，然后保存为 test1.pcapng

Duplicate packet removal:  --novlan               remove vlan info from packets before checking for duplicates.  -d                     remove packet if duplicate (window == 5).  -D <dup window>        remove packet if duplicate; configurable <dup window>.                         Valid <dup window> values are 0 to 1000000.                         NOTE: A <dup window> of 0 with -v (verbose option) is                         useful to print MD5 hashes.  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR                         LESS THAN <dup time window> prior to current packet.                         A <dup time window> is specified in relative seconds                         (e.g. 0.000001).           NOTE: The use of the 'Duplicate packet removal' options with           other editcap options except -v may not always work as expected.           Specifically the -r, -t or -S options will very likely NOT have the           desired effect if combined with the -d, -D or -w.  --skip-radiotap-header skip radiotap header when checking for packet duplicates.                         Useful when processing packets captured by multiple radios                         on the same channel in the vicinity of each other.


$ editcap --novlan test.pcapng test1.pcapng跟踪文件实测实际无效果，查询文档或与数据包文件相关，需满足 linux sll + vlan 条件的数据包文件。

$ editcap -d test.pcapng test1.pcapng2 packets seen, 1 packet skipped with duplicate window of 5 packets.尝试删除重复的数据包，将当前报文的长度和MD5哈希值与前4个报文进行比较。如果找到匹配，则删除当前报文。这个选项相当于使用选项-D 5。

$ editcap -d -D 6 test1.pcapng test2.pcapng6 packets seen, 1 packet skipped with duplicate window of 6 packets.6个窗口，即将当前报文的长度和MD5哈希值与前5个报文进行比较。

$ editcap -D 0 -V test1.pcapng test2.pcapngFile test1.pcapng is a InfoVista 5View capture capture file.Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5baccPacket: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0ccPacket: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de76 packets seen, 0 packets skipped with duplicate window of 0 packets.    
$ editcap -w 0.000015 test.pcapng test2.pcapng6 packets seen, 1 packet skipped with duplicate time window equal to or less than 0.000015000 seconds.      
$ editcap --skip-radiotap-header当检查数据包重复时跳过 radiotap 头部。因无合适数据包文件，暂无测试。

Packet manipulation:  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values                         chop at the packet beginning, negative values at the                         packet end. If an optional offset precedes the length,                         then the bytes chopped will be offset from that value.                         Positive offsets are from the packet beginning,                         negative offsets are from the packet end. You can use                         this option more than once, allowing up to 2 chopping                         regions within a packet provided that at least 1                         choplen is positive and at least 1 is negative.  -L                     adjust the frame (i.e. reported) length when chopping                         and/or snapping.  -t <time adjustment>   adjust the timestamp of each packet.                         <time adjustment> is in relative seconds (e.g. -0.5).  -S <strict adjustment> adjust timestamp of packets if necessary to ensure                         strict chronological increasing order. The <strict                         adjustment> is specified in relative seconds with                         values of 0 or 0.000001 being the most reasonable.                         A negative adjustment value will modify timestamps so                         that each packet's delta time is the absolute value                         of the adjustment specified. A value of -0 will set                         all packets to the timestamp of the first packet.  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that                         a particular packet byte will be randomly changed.  -o <change offset>     When used in conjunction with -E, skip some bytes from the                         beginning of the packet. This allows one to preserve some                         bytes, in order to have some headers untouched.  --seed <seed>          When used in conjunction with -E, set the seed to use for                         the pseudo-random number generator. This allows one to                         repeat a particular sequence of errors.  -I <bytes to ignore>   ignore the specified number of bytes at the beginning                         of the frame during MD5 hash calculation, unless the                         frame is too short, then the full frame is used.                         Useful to remove duplicated packets taken on                         several routers (different mac addresses for                         example).                         e.g. -I 26 in case of Ether/IP will ignore                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).  -a <framenum>:<comment> Add or replace comment for given frame number


$ editcap -s 60 test.pcapng test1.pcapng按 60 字节长度截断数据包。

$ editcap -C 12:4 test.pcapng test2.pcapng删除 vlan 
+---+-------+-----------+---------------+-------------------+| 5 |   10  |     15    |       20      |         25        |+---+-------+-----------+---------------+-------------------+删除 10 和 20 区域字节$ editcap -C 5:10 -C -25:-20 test1.pcapng test2.pcapng$ editcap -C 5:10 -C 50:-20 test1.pcapng test2.pcapng$ editcap -C -70:10 -C -25:-20 test1.pcapng test2.pcapng$ editcap -C -70:10 -C 50:-20 test1.pcapng test2.pcapng$ editcap -C 30:20 -C -60:-10 test1.pcapng test2.pcapng$ editcap -C 30:20 -C 15:-10 test1.pcapng test2.pcapng$ editcap -C -45:20 -C -60:-10 test1.pcapng test2.pcapng$ editcap -C -45:20 -C 15:-10 test1.pcapng test2.pcapng

$ editcap -L -C 12:4 test.pcapng test2.pcapng无 -L 时，-C 删除 4 字节，最终会显示 Frame 长度 112 ，捕获长度 108；有 -L 时，-C 删除 4 字节，最终会显示 Frame 长度 108 ，捕获长度 108 。

$ editcap -t -1 test.pcapng test2.pcapng每个数据包往前调整1s

$ editcap -S -1 test.pcapng test2.pcapng每个数据包按 1s 时间顺序递增

$ editcap -E -0.2 test.pcapng test2.pcapng设置随机改变一个特定数据包字节的概率为 0.2 。此选项用于模糊测试协议解析器。

$ editcap -E -0.2 -o 34 test.pcapng test2.pcapng跳过数据包开头的 34 字节，设置随机改变一个特定数据包字节的概率为 0.2。

$ editcap -E -0.2 --seed 10 test.pcapng test2.pcapng设置伪随机数生成器的种子，这允许重复特定的错误序列。

$ editcap -d -I 26 test.pcapng test2.pcapng20348 packets seen, 11 packets skipped with duplicate window of 5 packets.在MD5哈希计算时，忽略帧开始的指定字节数，除非该帧太短，否则将使用完整帧。

$ editcap -a 1:"test teset" test.pcapng test2.pcapng增加或替换指定数据包的注释

Output File(s):  -c <packets per file>  split the packet output to different files based on                         uniform packet counts with a maximum of                         <packets per file> each.  -i <seconds per file>  split the packet output to different files based on                         uniform time intervals with a maximum of                         <seconds per file> each.  -F <capture type>      set the output file type; default is pcapng.                         An empty "-F" option will list the file types.  -T <encap type>        set the output file encapsulation type; default is the                         same as the input file. An empty "-T" option will                         list the encapsulation types.  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List                         supported secret types with "--inject-secrets help".  --discard-all-secrets  Discard all decryption secrets from the input file                         when writing the output file.  Does not discard                         secrets added by "--inject-secrets" in the same                         command line.  --capture-comment <comment>                         Add a capture file comment, if supported.  --discard-capture-comment                         Discard capture file comments from the input file                         when writing the output file.  Does not discard                         comments added by "--capture-comment" in the same                         command line.

                            $ editcap -c 4 icmp.pcapng icmp1.pcapng每 4 个包分成一个文件，从00000开始，然后是它的第一个包的时间戳。如果输入文件不包含时间戳信息，则省略时间戳。譬如 icmp.pcapng 中一共 16 个数据包，分割成了 icmp1_00000_20210704113248.pcapng、icmp1_00001_20210704113249.pcapng、icmp1_00002_20210704113250.pcapng、icmp1_00003_20210704113251.pcapng 4个文件。

$ editcap -i 1 icmp.pcapng icmp1.pcapng根据统一的时间间隔将数据包输出分割到不同的文件，每个文件的最大间隔为 1 秒。允许使用浮点值(例如0.5)。

$ editcap -Feditcap: The available capture file types for the "-F" flag are:    pcap - Wireshark/tcpdump/... - pcap    pcapng - Wireshark/... - pcapng    5views - InfoVista 5View capture    btsnoop - Symbian OS btsnoop    commview-ncf - TamoSoft CommView NCF    commview-ncfx - TamoSoft CommView NCFX    dct2000 - Catapult DCT2000 trace (.out format)    erf - Endace ERF capture    eyesdn - EyeSDN USB S0/E1 ISDN trace format    k12text - K12 text file    lanalyzer - Novell LANalyzer    logcat - Android Logcat Binary format    logcat-brief - Android Logcat Brief text format    logcat-long - Android Logcat Long text format    logcat-process - Android Logcat Process text format    logcat-tag - Android Logcat Tag text format    logcat-thread - Android Logcat Thread text format    logcat-threadtime - Android Logcat Threadtime text format    logcat-time - Android Logcat Time text format    modpcap - Modified tcpdump - pcap    netmon1 - Microsoft NetMon 1.x    netmon2 - Microsoft NetMon 2.x    nettl - HP-UX nettl trace    ngsniffer - Sniffer (DOS)    ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1    ngwsniffer_2_0 - Sniffer (Windows) 2.00x    nokiapcap - Nokia tcpdump - pcap    nsecpcap - Wireshark/tcpdump/... - nanosecond pcap    nstrace10 - NetScaler Trace (Version 1.0)    nstrace20 - NetScaler Trace (Version 2.0)    nstrace30 - NetScaler Trace (Version 3.0)    nstrace35 - NetScaler Trace (Version 3.5)    observer - Viavi Observer    rf5 - Tektronix K12xx 32-bit .rf5 format    rh6_1pcap - RedHat 6.1 tcpdump - pcap    snoop - Sun snoop    suse6_3pcap - SuSE 6.3 tcpdump - pcap    visual - Visual Networks traffic capture    $ editcap -F pcap设置输出捕获文件的文件格式。缺省为pcapng格式。

$ editcap -Teditcap: The available encapsulation types for the "-T" flag are:    ap1394 - Apple IP-over-IEEE 1394    arcnet - ARCNET    arcnet_linux - Linux ARCNET    ascend - Lucent/Ascend access equipment    atm-pdus - ATM PDUs    atm-pdus-untruncated - ATM PDUs - untruncated    atm-rfc1483 - RFC 1483 ATM    ax25 - Amateur Radio AX.25    ax25-kiss - AX.25 with KISS header    bacnet-ms-tp - BACnet MS/TP    bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info    ber - ASN.1 Basic Encoding Rules    bluetooth-bredr-bb-rf - Bluetooth BR/EDR Baseband RF    bluetooth-h4 - Bluetooth H4    bluetooth-h4-linux - Bluetooth H4 with linux header    bluetooth-hci - Bluetooth without transport layer    bluetooth-le-ll - Bluetooth Low Energy Link Layer    bluetooth-le-ll-rf - Bluetooth Low Energy Link Layer RF    bluetooth-linux-monitor - Bluetooth Linux Monitor    can20b - Controller Area Network 2.0B    chdlc - Cisco HDLC    chdlc-with-direction - Cisco HDLC with Directional Info    cosine - CoSine L2 debug log    dbus - D-Bus    dct2000 - Catapult DCT2000    docsis - Data Over Cable Service Interface Specification    docsis31_xra31 - DOCSIS with Excentis XRA pseudo-header    dpauxmon - DisplayPort AUX channel with Unigraf pseudo-header    dpnss_link - Digital Private Signalling System No 1 Link Layer    dvbci - DVB-CI (Common Interface)    ebhscr - Elektrobit High Speed Capture and Replay    enc - OpenBSD enc(4) encapsulating interface    epon - Ethernet Passive Optical Network    erf - Extensible Record Format    eri_enb_log - Ericsson eNode-B raw log    ether - Ethernet    ether-mpacket - IEEE 802.3br mPackets    ether-nettl - Ethernet with nettl headers    etw - Event Tracing for Windows messages    fc2 - Fibre Channel FC-2    fc2sof - Fibre Channel FC-2 With Frame Delimiter    fddi - FDDI    fddi-nettl - FDDI with nettl headers    fddi-swapped - FDDI with bit-swapped MAC addresses    flexray - FlexRay    frelay - Frame Relay    frelay-with-direction - Frame Relay with Directional Info    gcom-serial - GCOM Serial    gcom-tie1 - GCOM TIE1    gfp-f - ITU-T G.7041/Y.1303 Generic Framing Procedure Frame-mapped mode    gfp-t - ITU-T G.7041/Y.1303 Generic Framing Procedure Transparent mode    gprs-llc - GPRS LLC    gsm_um - GSM Um Interface    hhdlc - HiPath HDLC    i2c-linux - I2C with Linux-specific pseudo-header    ieee-802-11 - IEEE 802.11 Wireless LAN    ieee-802-11-avs - IEEE 802.11 plus AVS radio header    ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header    ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information    ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header    ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer    infiniband - InfiniBand    ios - Cisco IOS internal    ip-ib - IP over IB    ip-over-fc - RFC 2625 IP-over-Fibre Channel    ip-over-ib - IP over InfiniBand    ipfix - RFC 5655/RFC 5101 IPFIX    ipmb-kontron - Intelligent Platform Management Bus with Kontron pseudo-header    ipmi-trace - IPMI Trace Data Collection    ipnet - Solaris IPNET    irda - IrDA    isdn - ISDN    iso14443 - ISO 14443 contactless smartcard standards    ixveriwave - IxVeriWave header and stats block    jfif - JPEG/JFIF    json - JavaScript Object Notation    juniper-atm1 - Juniper ATM1    juniper-atm2 - Juniper ATM2    juniper-chdlc - Juniper C-HDLC    juniper-ether - Juniper Ethernet    juniper-frelay - Juniper Frame-Relay    juniper-ggsn - Juniper GGSN    juniper-mlfr - Juniper MLFR    juniper-mlppp - Juniper MLPPP    juniper-ppp - Juniper PPP    juniper-pppoe - Juniper PPPoE    juniper-st - Juniper Secure Tunnel Information    juniper-svcs - Juniper Services    juniper-vn - Juniper VN    juniper-vp - Juniper Voice PIC    k12 - K12 protocol analyzer    lapb - LAPB    lapd - LAPD    layer1-event - EyeSDN Layer 1 event    lin - Local Interconnect Network    linux-atm-clip - Linux ATM CLIP    linux-lapd - LAPD with Linux pseudo-header    linux-sll - Linux cooked-mode capture v1    linux-sll2 - Linux cooked-mode capture v2    log_3GPP - 3GPP Phone Log    logcat - Android Logcat Binary format    logcat_brief - Android Logcat Brief text format    logcat_long - Android Logcat Long text format    logcat_process - Android Logcat Process text format    logcat_tag - Android Logcat Tag text format    logcat_thread - Android Logcat Thread text format    logcat_threadtime - Android Logcat Threadtime text format    logcat_time - Android Logcat Time text format    loop - OpenBSD loopback    loratap - LoRaTap    ltalk - Localtalk    message_analyzer_wfp_capture2_v4 - Message Analyzer WFP Capture2 v4    message_analyzer_wfp_capture2_v6 - Message Analyzer WFP Capture2 v6    message_analyzer_wfp_capture_auth_v4 - Message Analyzer WFP Capture Auth v4    message_analyzer_wfp_capture_auth_v6 - Message Analyzer WFP Capture Auth v6    message_analyzer_wfp_capture_v4 - Message Analyzer WFP Capture v4    message_analyzer_wfp_capture_v6 - Message Analyzer WFP Capture v6    mime - MIME    most - Media Oriented Systems Transport    mp2ts - ISO/IEC 13818-1 MPEG2-TS    mp4 - MP4 files    mpeg - MPEG    mtp2 - SS7 MTP2    mtp2-with-phdr - MTP2 with pseudoheader    mtp3 - SS7 MTP3    mux27010 - MUX27010    netanalyzer - Hilscher netANALYZER    netanalyzer-transparent - Hilscher netANALYZER-Transparent    netlink - Linux Netlink    netmon_event - Network Monitor Network Event    netmon_filter - Network Monitor Filter    netmon_header - Network Monitor Header    netmon_network_info - Network Monitor Network Info    nfc-llcp - NFC LLCP    nflog - NFLOG    nordic_ble - nRF Sniffer for Bluetooth LE    nstrace10 - NetScaler Encapsulation 1.0 of Ethernet    nstrace20 - NetScaler Encapsulation 2.0 of Ethernet    nstrace30 - NetScaler Encapsulation 3.0 of Ethernet    nstrace35 - NetScaler Encapsulation 3.5 of Ethernet    null - NULL/Loopback    packetlogger - Apple Bluetooth PacketLogger    pflog - OpenBSD PF Firewall logs    pflog-old - OpenBSD PF Firewall logs, pre-3.4    pktap - Apple PKTAP    ppi - Per-Packet Information header    ppp - PPP    ppp-with-direction - PPP with Directional Info    pppoes - PPP-over-Ethernet session    raw-icmp-nettl - Raw ICMP with nettl headers    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers    raw-telnet-nettl - Raw telnet with nettl headers    rawip - Raw IP    rawip-nettl - Raw IP with nettl headers    rawip4 - Raw IPv4    rawip6 - Raw IPv6    redback - Redback SmartEdge    rfc7468 - RFC 7468 file    rtac-serial - RTAC serial-line    ruby_marshal - Ruby marshal object    s4607 - STANAG 4607    s5066-dpdu - STANAG 5066 Data Transfer Sublayer PDUs(D_PDU)    sccp - SS7 SCCP    sctp - SCTP    sdh - SDH    sdjournal - systemd journal    sdlc - SDLC    sita-wan - SITA WAN packets    slip - SLIP    socketcan - SocketCAN    symantec - Symantec Enterprise Firewall    tnef - Transport-Neutral Encapsulation Format    tr - Token Ring    tr-nettl - Token Ring with nettl headers    tzsp - Tazmen sniffer protocol    unknown - Unknown    unknown-nettl - Unknown link-layer type with nettl headers    usb-20 - USB 2.0/1.1/1.0 packets    usb-darwin - USB packets with Darwin (macOS, etc.) headers    usb-freebsd - USB packets with FreeBSD header    usb-linux - USB packets with Linux header    usb-linux-mmap - USB packets with Linux header and padding    usb-usbpcap - USB packets with USBPcap header    user0 - USER 0    user1 - USER 1    user2 - USER 2    user3 - USER 3    user4 - USER 4    user5 - USER 5    user6 - USER 6    user7 - USER 7    user8 - USER 8    user9 - USER 9    user10 - USER 10    user11 - USER 11    user12 - USER 12    user13 - USER 13    user14 - USER 14    user15 - USER 15    v5-ef - V5 Envelope Function    vpp - Vector Packet Processing graph dispatch trace    vsock - Linux vsock    whdlc - Wellfleet HDLC    wireshark-upper-pdu - Wireshark Upper PDU export    wpan - IEEE 802.15.4 Wireless PAN    wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present    wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY    wpan-tap - IEEE 802.15.4 Wireless with TAP pseudo-header    x2e-serial - X2E serial line capture    x2e-xoraya - X2E Xoraya    x25-nettl - X.25 with nettl headers    xeth - Xerox 3MB Ethernet    zwave-serial - Z-Wave Serial API packets
$ editcap -T linux-sll设置输出捕获文件的包封装类型。如果 -T 用于指定封装类型，输出捕获文件的封装类型将被强制为指定类型。默认类型适合于输入捕获文件的封装类型。

$ editcap --inject-secrets <secrets type>,<file>$ editcap --inject-secrets help    tls    wg$ editcap --inject-secrets tls,tls.log test.pcapng test1.pcapng将tls密钥加进test.pcapng中的 Decryption Secrets Block (DSB)，输出test1.pcapng

$ editcap --discard-all-secrets test1.pcapng test.pcapng当写入输出文件时，丢弃输入文件中的所有解密密钥。

$ editcap --capture-comment "test test" test.pcapng test1.pcapng将给定的注释添加到输出文件中，如果输出文件格式支持的话,将在输入文件中出现的任何注释之后添加新的注释。此选项可以指定多次。注意，Wireshark 目前只显示捕获文件的第一个注释。

$ editcap --discard-capture-comment test1.pcapng test.pcapng丢弃来自输入文件的所有捕获文件注释。

Miscellaneous:  -h, --help             display this help and exit.  -V                     verbose output.                         If -V is used with any of the 'Duplicate Packet                         Removal' options (-d, -D or -w) then Packet lengths                         and MD5 hashes are printed to standard-error.  -v, --version          print version information and exit.


$ editcap -hEditcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)Edit and/or translate the format of capture files.See https://www.wireshark.org for more information.
Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]
<infile> and <outfile> must both be present; use '-' for stdin or stdout.A single packet or a range of packets can be selected.
Packet selection:  -r                     keep the selected packets; default is to delete them.  -A <start time>        only read packets whose timestamp is after (or equal                         to) the given time.  -B <stop time>         only read packets whose timestamp is before the                         given time.                         Time format for -A/-B options is                         YYYY-MM-DDThh:mm:ss[.nnnnnnnnn][Z|+-hh:mm]                         Unix epoch timestamps are also supported.
Duplicate packet removal:  --novlan               remove vlan info from packets before checking for duplicates.  -d                     remove packet if duplicate (window == 5).  -D <dup window>        remove packet if duplicate; configurable <dup window>.                         Valid <dup window> values are 0 to 1000000.                         NOTE: A <dup window> of 0 with -V (verbose option) is                         useful to print MD5 hashes.  -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR                         LESS THAN <dup time window> prior to current packet.                         A <dup time window> is specified in relative seconds                         (e.g. 0.000001).           NOTE: The use of the 'Duplicate packet removal' options with           other editcap options except -V may not always work as expected.           Specifically the -r, -t or -S options will very likely NOT have the           desired effect if combined with the -d, -D or -w.  --skip-radiotap-header skip radiotap header when checking for packet duplicates.                         Useful when processing packets captured by multiple radios                         on the same channel in the vicinity of each other.
Packet manipulation:  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values                         chop at the packet beginning, negative values at the                         packet end. If an optional offset precedes the length,                         then the bytes chopped will be offset from that value.                         Positive offsets are from the packet beginning,                         negative offsets are from the packet end. You can use                         this option more than once, allowing up to 2 chopping                         regions within a packet provided that at least 1                         choplen is positive and at least 1 is negative.  -L                     adjust the frame (i.e. reported) length when chopping                         and/or snapping.  -t <time adjustment>   adjust the timestamp of each packet.                         <time adjustment> is in relative seconds (e.g. -0.5).  -S <strict adjustment> adjust timestamp of packets if necessary to ensure                         strict chronological increasing order. The <strict                         adjustment> is specified in relative seconds with                         values of 0 or 0.000001 being the most reasonable.                         A negative adjustment value will modify timestamps so                         that each packet's delta time is the absolute value                         of the adjustment specified. A value of -0 will set                         all packets to the timestamp of the first packet.  -E <error probability> set the probability (between 0.0 and 1.0 incl.) that                         a particular packet byte will be randomly changed.  -o <change offset>     When used in conjunction with -E, skip some bytes from the                         beginning of the packet. This allows one to preserve some                         bytes, in order to have some headers untouched.  --seed <seed>          When used in conjunction with -E, set the seed to use for                         the pseudo-random number generator. This allows one to                         repeat a particular sequence of errors.  -I <bytes to ignore>   ignore the specified number of bytes at the beginning                         of the frame during MD5 hash calculation, unless the                         frame is too short, then the full frame is used.                         Useful to remove duplicated packets taken on                         several routers (different mac addresses for                         example).                         e.g. -I 26 in case of Ether/IP will ignore                         ether(14) and IP header(20 - 4(src ip) - 4(dst ip)).  -a <framenum>:<comment> Add or replace comment for given frame number
Output File(s):  -c <packets per file>  split the packet output to different files based on                         uniform packet counts with a maximum of                         <packets per file> each.  -i <seconds per file>  split the packet output to different files based on                         uniform time intervals with a maximum of                         <seconds per file> each.  -F <capture type>      set the output file type; default is pcapng.                         An empty "-F" option will list the file types.  -T <encap type>        set the output file encapsulation type; default is the                         same as the input file. An empty "-T" option will                         list the encapsulation types.  --inject-secrets <type>,<file>  Insert decryption secrets from <file>. List                         supported secret types with "--inject-secrets help".  --discard-all-secrets  Discard all decryption secrets from the input file                         when writing the output file.  Does not discard                         secrets added by "--inject-secrets" in the same                         command line.  --capture-comment <comment>                         Add a capture file comment, if supported.  --discard-capture-comment                         Discard capture file comments from the input file                         when writing the output file.  Does not discard                         comments added by "--capture-comment" in the same                         command line.
Miscellaneous:  -h, --help             display this help and exit.  -V                     verbose output.                         If -V is used with any of the 'Duplicate Packet                         Removal' options (-d, -D or -w) then Packet lengths                         and MD5 hashes are printed to standard-error.  -v, --version          print version information and exit.

     $ editcap -rV test.pcapng test1.pcapng 1File test.pcapng is a InfoVista 5View capture capture file.Add_Selected: 1Not inclusive ... 1Packet: 1
$ editcap -dV test.pcapng test1.pcapngFile test.pcapng is a InfoVista 5View capture capture file.Packet: 1, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de7Packet: 2, Len: 112, MD5 Hash: 8115aa6990b2064660934f36f1b5baccPacket: 3, Len: 112, MD5 Hash: 1fbf43ee3fb682cb82d5adddf87bb0ccPacket: 4, Len: 112, MD5 Hash: 129fcc09853b16a260b55b92656fb148Packet: 5, Len: 112, MD5 Hash: 4f2a15c3946ab86b6fccf70ad84d57a9Packet: 6, Len: 112, MD5 Hash: d60cdd08f3de236cf7a2dc35cb7d6de76 packets seen, 0 packets skipped with duplicate window of 5 packets.    

$ editcap -vEditcap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b).
Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.Licensed under the terms of the GNU General Public License (version 2 or later).This is free software; see the file named COPYING in the distribution. There isNO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.
Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported.