Related command line tools

C.5. editcap: Edit capture files

Included with Ethereal is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture files, but it can also be used to convert capture files from one format to another, as well as print information about capture files.

Example C.2. Help information available from editcap

$ editcap.exe -h

Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]

[-F <capture type>]> [-s <snaplen>] [-t <time adjustment>] <infile> <outfile> [ <record#>[-<record#>] ... ]

where

-E <probability> specifies the probability (between 0 and 1) that a particular byte will will have an error.

-F <capture type> specifies the capture file type to write: libpcap - libpcap (tcpdump, Ethereal, etc.) rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump) suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump) modlibpcap - modified libpcap (tcpdump) nokialibpcap - Nokia libpcap (tcpdump)

lanalyzer - Novell LANalyzer

ngsniffer - Network Associates Sniffer (DOS-based) snoop - Sun snoop

netmon1 - Microsoft Network Monitor 1.x netmon2 - Microsoft Network Monitor 2.x

ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1 ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x nettl - HP-UX nettl trace

visual - Visual Networks traffic capture 5views - Accellent 5Views capture

niobserverv9 - Network Instruments Observer version 9 default is libpcap

-h produces this help listing.

-r specifies that the records specified should be kept, not deleted, default is to delete

-s <snaplen> specifies that packets should be truncated to <snaplen> bytes of data

-t <time adjustment> specifies the time adjustment to be applied to selected packets

-T <encap type> specifies the encapsulation type to use: ether - Ethernet

tr - Token Ring slip - SLIP

ppp- PPP

fddi - FDDI

fddi-swapped - FDDI with bit-swapped MAC addresses rawip - Raw IP

arcnet - ARCNET

arcnet_linux - Linux ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB

atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL

ascend - Lucent/Ascend access equipment isdn - ISDN

ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN

prism - IEEE 802.11 plus Prism II monitor mode header ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information

167

Page 181
Image 181
Lucent Technologies Ethereal manual Editcap Edit capture files, Example C.2. Help information available from editcap