Editing trace files with Editcap

You can use Editcap to split a trace file that is too large to work with in Wireshark into multiple smaller files, extract a subset of a trace file based on a start and stop time, alter timestamps, remove duplicate packets, and a number of other useful functions.

Type editcap –h in the command prompt for a list of options. The syntax to extract a single packet or a range of packets by packet numbers is as follows:

editcap –r <infile> <outfile> <packet#> [- <packet#>]

You must specify <infile> and <outfile>. The –r specifies to keep, not delete, the specified packet or packet range, for example:

editcap –r MergedTraces.pcapng packetrange.pcapng 1-5000

You can split a source trace file into multiple sequential files, each containing the number of packets specified by the –c option:

editcap –c 5000 MergedTraces.pcapng SplitTrace.pcapng

You can eliminate duplicate packets in a file within a five-packet proximity:

editcap –d hasdupes.pcapng nodupes.pcapng

If you have two trace files that have a significant span of time between them, and you want to merge them into one file but closer together, you can investigate all of the packets within one IO Graph or a similar analysis function; you can first use the –t option on one of the files to adjust the timestamps in that file by a constant amount (in seconds). For example, to subtract 5 hours from a trace file's timestamps, use the following command:

editcap -t -18000 packetrange.pcapng adj_packetrange.pcapng

Comparing the two traces in Wireshark reveals the following details:

• Packet #500 before adjustment: 2014-09-04 15:27:38.696897
• Packet #500 after adjustment: 2014-09-04 10:27:38.696897

You can get more information on and examples of Editcap options at https://www.wireshark.org/docs/man-pages/editcap.html.