Ethereal User's Guide: V1.1 for Ethereal 0.9.7
<<< PreviousRelated toolsNext >>>

Using editcap

Included with Ethereal is a small utility called editcap, which is a command-line utility for working with capture files. Its main function is to remove packets from capture file, but it can also be used to convert capture files from one format to another, as well as print information about capture files.

editcap has the following format:

editcap [-r] [-h] [-v] [-T {encap type}] [-F {capture type}] {infile} {outfile} [record# [-] [record#] ... ]

Where each option has the following meaning:

-r

This option specifies that the frames listed should be kept, not deleted. The default is to delete the listed frames.

-h

This option provides help.

-v

This option specifies verbose operation. The default is silent operation.

-T {encap type}

This option specifies the frame encapsulation type to use. It can take one of the following values:

  • ether - Ethernet

  • tr - Token Ring

  • slip - SLIP

  • ppp - PPP

  • fddi - FDDI

  • fddi-swapped - FDDI with bit-swapped MAC addresses

  • rawip - Raw IP

  • arcnet - ARCNET

  • atm-rfc1483 - RFC 1483 ATM

  • linux-atm-clip - Linux ATM CLIP

  • lapb - LAPB

  • atm-sniffer - ATM Sniffer

  • null - NULL

  • ascend - Lucent/Ascend access equipment

  • lapd - LAPD

  • v120 - V.120

It is mainly for converting funny captures to something that Ethereal can deal with. The default frame encapsulation type is the same as the input encapsulation.

-F {capture type}

This option specifies the capture file format to write the output file in. You can choose from the following values:

  • libpcap - libpcap (tcpdump, Ethereal, etc.)

  • modlibpcap - modified libpcap (tcpdump)

  • rh6_1libpcap - Red Hat Linux 6.1 libpcap (tcpdump)

  • ngsniffer - Network Associates Sniffer (DOS-based)

  • snoop - Sun snoop

  • netmon1 - Microsoft Network Monitor 1.x

  • ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1

The default is libpcap format.

{infile}

This parameter specifies the input file to use. It must be present.

{outfile}

This parameter specifies the output file to use. It must be present.

[record#[-][record# ...]]

This optional parameter specifies the records to include or exclude (depending on the -r option. You can specify individual records or a range of records.

<<< PreviousHomeNext >>>
Tethereal, for terminal-based capturingUpMerging multiple capture files into a single capture file with mergecap