Related command line tools
C.5. editcap: Edit capture files
Included with Ethereal is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as print information about capture files.
Example C.2. Help information available from editcap
$ editcap.exe -h
Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]
[-F <capture type>]> [-s <snaplen>] [-t <time adjustment>] <infile> <outfile> [ <record#>[-<record#>] ... ]
where
-E <probability> specifies the probability (between 0 and 1) that a particular byte will will have an error.
-F <capture type> specifies the capture file type to write: libpcap - libpcap (tcpdump, Ethereal, etc.) rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump) suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump) modlibpcap - modified libpcap (tcpdump) nokialibpcap - Nokia libpcap (tcpdump)
lanalyzer - Novell LANalyzer
ngsniffer - Network Associates Sniffer (DOS-based) snoop - Sun snoop
netmon1 - Microsoft Network Monitor 1.x netmon2 - Microsoft Network Monitor 2.x
ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1 ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x nettl - HP-UX nettl trace
visual - Visual Networks traffic capture 5views - Accellent 5Views capture
niobserverv9 - Network Instruments Observer version 9 default is libpcap
-h produces this help listing.
-r specifies that the records specified should be kept, not deleted, default is to delete
-s <snaplen> specifies that packets should be truncated to <snaplen> bytes of data
-t <time adjustment> specifies the time adjustment to be applied to selected packets
-T <encap type> specifies the encapsulation type to use: ether - Ethernet
tr - Token Ring slip - SLIP
ppp- PPP
fddi - FDDI
fddi-swapped - FDDI with bit-swapped MAC addresses rawip - Raw IP
arcnet - ARCNET
arcnet_linux - Linux ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB
atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL
ascend - Lucent/Ascend access equipment isdn - ISDN
ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN
prism - IEEE 802.11 plus Prism II monitor mode header ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information