editcap的使用

 editcap.exe -h
 Editcap (Wireshark) 2.4. (v2.4.1--gf42a0d2b6c)
 Edit and/or translate the format of capture files.
 See https://www.wireshark.org for more information.

 Usage: editcap [options] ... <infile> <outfile> [ <packet#>[-<packet#>] ... ]

 <infile> and <outfile> must both be present.
 A single packet or a range of packets can be selected.

 Packet selection:
   -r                     keep the selected packets; default is to delete them.
   -A <start time>        only output packets whose timestamp is after (or equal
                          to) the given time (format as YYYY-MM-DD hh:mm:ss).
   -B <stop time>         only output packets whose timestamp is before the
                          given time (format as YYYY-MM-DD hh:mm:ss).

 Duplicate packet removal:
   --novlan               remove vlan info from packets before checking for dupli
 cates.
   -d                     remove packet if duplicate (window == ).
   -D <dup window>        remove packet if duplicate; configurable <dup window>.
                          Valid <dup window> values are  to .
                          NOTE: A <dup window> of  with -v (verbose option) is
                          useful to print MD5 hashes.
   -w <dup time window>   remove packet if duplicate packet is found EQUAL TO OR
                          LESS THAN <dup time window> prior to current packet.
                          A <dup time window> is specified in relative seconds
                          (e.g. 0.000001).
   -a <framenum>:<comment> Add or replace comment for given frame number

   -I <bytes to ignore>   ignore the specified number of bytes at the beginning
                          of the frame during MD5 hash calculation, unless the
                          frame is too short, then the full frame is used.
                          Useful to remove duplicated packets taken on
                          several routers (different mac addresses for
                          example).
                          e.g. -I  in case of Ether/IP will ignore
                          ether() and IP header( - (src ip) - (dst ip)).

            NOTE: The use of the 'Duplicate packet removal' options with
            other editcap options except -v may not always work as expected.
            Specifically the -r, -t or -S options will very likely NOT have the
            desired effect if combined with the -d, -D or -w.

 Packet manipulation:
   -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
   -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                          chop at the packet beginning, negative values at the
                          packet end. If an optional offset precedes the length,
                          then the bytes chopped will be offset from that value.
                          Positive offsets are from the packet beginning,
                          negative offsets are from the packet end. You can use
                          this option more than once, allowing up to  chopping
                          regions within a packet provided that at least
                          choplen is positive and at least  is negative.
   -L                     adjust the frame (i.e. reported) length when chopping
                          and/or snapping.
   -t <time adjustment>   adjust the timestamp of each packet.
                          <time adjustment> is in relative seconds (e.g. -0.5).
   -S <strict adjustment> adjust timestamp of packets if necessary to ensure
                          strict chronological increasing order. The <strict
                          adjustment> is specified in relative seconds with
                          values of  or 0.000001 being the most reasonable.
                          A negative adjustment value will modify timestamps so
                          that each packet's delta time is the absolute value
                          of the adjustment specified. A value of - will set
                          all packets to the timestamp of the first packet.
   -E <error probability> set the probability (between 0.0 and 1.0 incl.) that
                          a particular packet byte will be randomly changed.
   -o <change offset>     When used in conjunction with -E, skip some bytes from
 the
                          beginning of the packet. This allows one to preserve so
 me
                          bytes, in order to have some headers untouched.

 Output File(s):
   -c <packets per file>  split the packet output to different files based on
                          uniform packet counts with a maximum of
                          <packets per file> each.
   -i <seconds per file>  split the packet output to different files based on
                          uniform time intervals with a maximum of
                          <seconds per file> each.
   -F <capture type>      set the output file type; default is pcapng. An empty
                          "-F" option will list the file types.
   -T <encap type>        set the output file encapsulation type; default is the
                          same as the input file. An empty "-T" option will
                          list the encapsulation types.

 Miscellaneous:
   -h                     display this help and exit.
   -v                     verbose output.
                          If -v is used with any of the 'Duplicate Packet
                          Removal' options (-d, -D or -w) then Packet lengths
                          and MD5 hashes are printed to standard-error.
 

---

 editcap.exe -F
 editcap.exe: option requires an argument -- 'F'
 editcap: The available capture file types for the "-F" flag are:
     5views - InfoVista 5View capture
     btsnoop - Symbian OS btsnoop
     commview - TamoSoft CommView
     dct2000 - Catapult DCT2000 trace (.out format)
     erf - Endace ERF capture
     eyesdn - EyeSDN USB S0/E1 ISDN trace format
     k12text - K12 text file
     lanalyzer - Novell LANalyzer
     logcat - Android Logcat Binary format
     logcat-brief - Android Logcat Brief text format
     logcat-long - Android Logcat Long text format
     logcat-process - Android Logcat Process text format
     logcat-tag - Android Logcat Tag text format
     logcat-thread - Android Logcat Thread text format
     logcat-threadtime - Android Logcat Threadtime text format
     logcat-time - Android Logcat Time text format
     modpcap - Modified tcpdump - pcap
     netmon1 - Microsoft NetMon .x
     netmon2 - Microsoft NetMon .x
     nettl - HP-UX nettl trace
     ngsniffer - Sniffer (DOS)
     ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
     ngwsniffer_2_0 - Sniffer (Windows) .00x
     niobserver - Network Instruments Observer
     nokiapcap - Nokia tcpdump - pcap
     nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
     nstrace10 - NetScaler Trace (Version 1.0)
     nstrace20 - NetScaler Trace (Version 2.0)
     nstrace30 - NetScaler Trace (Version 3.0)
     nstrace35 - NetScaler Trace (Version 3.5)
     pcap - Wireshark/tcpdump/... - pcap
     pcapng - Wireshark/... - pcapng
     rf5 - Tektronix K12xx -bit .rf5 format
     rh6_1pcap - RedHat 6.1 tcpdump - pcap
     snoop - Sun snoop
     suse6_3pcap - SuSE 6.3 tcpdump - pcap
     visual - Visual Networks traffic capture

editcap是Wireshark的一个组件，在Windows平台下，只要完成Wireshark的安装，就可以在安装目录中看到editcap.exe。editcap.exe需要在命令行中使用。

对于用Endace DAG捕捉卡捕获的数据包，一般来说，都是erf格式的。ERF格式全称是Extensible Record Format，具体格式参见http://wiki.wireshark.org/ERF。可以看到，这和pcap文件格式是完全不同的，一般来说，ERF格式的文件包含更多的链路层的信息。

但是大多数情况下，我们基于wireshark源码改写的程序都只能读取pcap文件，所以我们更希望能将ERF文件转为pcap文件。这时我们就可以使用editcap命令来完成这个工作。

首先举一个最简单的例子，使用下面的命令可以直接将erf文件转换为pcap文件。

1 editcap.exe -F pcap -T ether erf-ethernet-example.erf erf-ethernet-example.pcap

下面介绍一下editcap的各种参数。

1、-F <file format> 上面刚刚用到的。指定输出文件的格式，使用 editcap -F 命令可以列出所有支持的格式。我们要pcap，那就写pcap呗。此外，在linux平台下转化为pcap文件时，应当使用 "libpcap" 关键字，记得要先安装libpcap库啊。

2、-T <encapsulation format> 上面也用到。这个是指包装类型，使用 editcap -T 命令可以列出所有支持的格式。所谓包装类型，就是指你需要让数据部分包含从哪一层开始的数据，ether那就是链路层的（以太网），ip就是网络层的，tcp什么的也是可以的啦。

3、-s <snaplen> 这是个类似于tcpdump的功能，后边接变量snaplen使用，就是指截断长度了，这个不是从数据部分开始截，而是从数据部分中，ethernet/ip header/tcp header部分往后的有效负载(payload)部分往后截的。

4、-c <packet per file> 这是个碉堡了的功能，有些人搞不动太大的包，比如某些数据集，提供的数据文件动辄2G起，一次处理不了怎么办？用-c命令就OK了。每个文件指定一定数量的包，存够了就写到下一个文件里。这些文件的具体的命名方式是，在你指定的文件名之后加入数字后缀。

5、-C <choplen> 这又是个碉堡了的功能，可以直接从数据包上切一截子下来。字面意思已经很明显了，chop就是剁，剁掉数据包中间的一段。按照editcap命令给出的在线文档中举的例子，使用这个命令可以很轻松的搞定那些携带802.1q的VLAN tag的包，切掉数据包的第12-15个字节（共4字节）就OK了，切掉之后对别的数据都不影响，就跟没存在过一样。具体命令是

1 editcap -L -C 12:4 capture_vlan.pcap capture_no_vlan.pcap

至于-C的参数，变化更是多得很，这里暂时就不展开了。不过不幸的是，好像老版本的-C命令不支持带冒号的参数，就比如上面这个例子。

6、-A <start time>/-B <stop time> 指定开始时间和结束时间。这个有点像Linux下的某个命令（查证后补上具体是哪个），不过更形象。-A指定开始时间，-B指定结束时间，录音机我们都用过，这样联想一下就简单了。具体的时间可以使用YYYY-MM-DD HH:MM:SS格式来指定。

7、-D <dup window>/-w <dup time window> 用来尝试除去记录文件中的重复包，-D中的dup window参数指定向前检查的包的个数，-w中的dup time window指定向前检查的时间的长度。

---

To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:

    editcap -s 64 -F snoop capture.pcap shortcapture.snoop

To delete packet 1000 from the capture file use:

    editcap capture.pcap sans1000.pcap 1000

To limit a capture file to packets from number 200 to 750 (inclusive) use:

    editcap -r capture.pcap small.pcap 200-750

To get all packets from number 1-500 (inclusive) use:

    editcap -r capture.pcap first500.pcap 1-500

or

    editcap capture.pcap first500.pcap 501-9999999

To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:

    editcap capture.pcap exclude.pcap 1 5 10-20 30-40

To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:

    editcap -r capture.pcap select.pcap 1 5 10-20 30-40

To remove duplicate packets seen within the prior four frames use:

    editcap -d capture.pcap dedup.pcap

To remove duplicate packets seen within the prior 100 frames use:

    editcap -D 101 capture.pcap dedup.pcap

To remove duplicate packets seen equal to or less than 1/10th of a second:

    editcap -w 0.1 capture.pcap dedup.pcap

To display the MD5 hash for all of the packets (and NOT generate any real output file):

    editcap -v -D 0 capture.pcap /dev/null

or on Windows systems

    editcap -v -D 0 capture.pcap NUL

To introduce 5% random errors in a capture file use:

  editcap -E 0.05 capture.pcap capture_error.pcap