Editcap

Previous page
Table of content
Next page

  < Day Day Up > 


Editcap is a program used to remove or select packets from a file and to translate the format of captured files. It doesn’t capture live traffic; it only reads data from a saved capture file and then saves some or all of the packets to a new capture file. Editcap can read all of the same types of files that Ethereal can, and by default writes to libpcap format. Editcap can also write captures to standard and modified versions of libpcap, Sun snoop, Novell LANalyzer, Networks Associate’s Sniffer, Microsoft Network Monitor, Visual Network traffic capture, Accellent 5Views capture, and Network Instruments Observer version 9 captures. Editcap can determine the file type that it is reading, and is also capable of reading files that are compressed with gzip.

By default editcap writes all of the packets in the capture file to the output file. If you specify a list of packet numbers on the command line, those packets will not be written to the output capture file. If the –r option is specified, it will reverse the default configuration and write only the specified packets to the output capture file. You can also specify a range of packets to include or exclude in the output capture file.

The following information is the usage output for the editcap program:

C:\Program Files\Ethereal>editcap -h Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-F <capture type>]                [-s <snaplen>] [-t <time adjustment                <infile> <outfile> [ <record#>[-<record#>] ... ]   where -r specifies that the records specified should be kept, not deleted,                            default is to delete         -v specifies verbose operation, default is silent         -h produces this help listing.         -T <encap type> specifies the encapsulation type to use:             ether - Ethernet             tr - Token Ring             slip - SLIP             ppp - PPP             fddi - FDDI             fddi-swapped - FDDI with bit-swapped MAC addresses             rawip - Raw IP             arcnet - ARCNET             arcnet_linux - Linux ARCNET             atm-rfc1483 - RFC 1483 ATM             linux-atm-clip - Linux ATM CLIP             lapb - LAPB             atm-pdus - ATM PDUs             atm-pdus-untruncated - ATM PDUs - untruncated             null - NULL             ascend - Lucent/Ascend access equipment             isdn - ISDN             ip-over-fc - RFC 2625 IP-over-Fibre Channel             ppp-with-direction - PPP with Directional Info             ieee-802-11 - IEEE 802.11 Wireless LAN             ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information             linux-sll - Linux cooked-mode capture             frelay - Frame Relay             frelay-with-direction - Frame Relay with Directional Info             chdlc - Cisco HDLC             ios - Cisco IOS internal             ltalk - Localtalk             prism - IEEE 802.11 plus Prism II monitor mode header             pflog-old - OpenBSD PF Firewall logs, pre-3.4             hhdlc - HiPath HDLC             docsis - Data Over Cable Service Interface Specification             cosine - CoSine L2 debug log             wlan - IEEE 802.11 plus AVS WLAN monitor header             whdlc - Wellfleet HDLC             sdlc - SDLC             tzsp - Tazmen sniffer protocol             enc - OpenBSD enc(4) encapsulating interface             pflog - OpenBSD PF Firewall logs             chdlc-with-direction - Cisco HDLC with Directional Info             bluetooth-h4 - Bluetooth H4             mtp2 - SS7 MTP2             mtp3 - SS7 MTP3             default is the same as the input file         -F <capture type> specifies the capture file type to write:             libpcap - libpcap (tcpdump, Ethereal, etc.)             rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)             suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)             modlibpcap - modified libpcap (tcpdump)             nokialibpcap - Nokia libpcap (tcpdump)             lanalyzer - Novell LANalyzer             ngsniffer - Network Associates Sniffer (DOS-based)             snoop - Sun snoop             netmon1 - Microsoft Network Monitor 1.x             netmon2 - Microsoft Network Monitor 2.x             ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1             ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x             visual - Visual Networks traffic capture             5views - Accellent 5Views capture             niobserverv9 - Network Instruments Observer version 9             default is libpcap         -s <snaplen> specifies that packets should be truncated to            <snaplen> bytes of data         -t <time adjustment> specifies the time adjustment            to be applied to selected packets             A range of records can be specified as well

The following command line options are used to control Editcap’s data translation and output:

  • –F type This option is used to set the format of the output capture file. For example, if you want to save a file in the Sun snoop format so that snoop can read the capture file, you would use the –F snoop option.

  • –h This option prints the help options of editcap, then exits.

  • –r This option will cause the packets whose numbers are specified on the command line to be written to the output capture file. This is opposite of the default action, which is to remove the packets that are specified on the command line. Packets can only be specified as a consecutive range in the start-end format, or individually; they cannot be comma delimited.

  • –s snaplen This option will set the snapshot length to use when writing the data to the output capture file. Packets that are larger than the snaplen will be truncated. This option is helpful if you only want to save the packet headers, or if the program you will be importing the capture file into can only read packets of a certain size.

  • –t [-]seconds[.fractional seconds] This option will allow you to specify a time adjustment to apply to selected frames in the output capture file. The time adjustment is specified in seconds and fractions of seconds. An option of –t 3600 will advance the timestamp on the selected frames by one hour, while the option of –t –3600 will reduce the timestamp on the selected frames by one hour. This option is useful when you need to synchronize packet traces with other logs from different devices.

  • –T type This option sets the packet encapsulation type of the output capture file. The default type is the same encapsulation type as the input file. This option forces the encapsulation type of the output capture file to be a specified type, however the packet headers will remain the same encapsulation type as the input capture file. This is because the encapsulation type is stored as meta-data, outside of the packet data. The encapsulation type is a single variable that is changed, thus allowing the packet data and headers of the original packet to remain unchanged.

  • –v This option will cause editcap to print various messages to the screen while it is processing files.

The following is an example of using editcap to translate the first five packets, plus packets 10, 15, and 17 from a tethereal libpcap capture file called capture to a Sun snoop output file called capture_snoop:

C:\Program Files\Ethereal>editcap -r -v -F snoop capture capture_snoop 1-5 10 15 17 File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Add_Selected: 1-5 Inclusive ... 1, 5 Add_Selected: 10 Not inclusive ... 10 Add_Selected: 15 Not inclusive ... 15 Add_Selected: 17 Not inclusive ... 17 Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 10 Record: 15 Record: 17

The next example uses editcap to translate all packets, except packets 5 through 120, from a libpcap capture file called capture to a libpcap output file called capture_out:

C:\Program Files\Ethereal>editcap -v capture capture_out 5-120 File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Add_Selected: 5-120 Inclusive ... 5, 120 Record: 1 Record: 2 Record: 3 Record: 4 Record: 121 Record: 122

The next example uses editcap to adjust the timestamp forward by five and a half seconds on all packets. It uses an NAI Sniffer Pro capture file called capture.dump as input and saves the output to a Novell LANalyzer file called capture_out:

C:\Program Files\Ethereal>editcap -v -F lanalyzer -t 5.5 capture.dump capture_out File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10  output removed

The next example uses editcap to save the first 35 bytes of the input capture file called capture to the output capture file called capture_out. This will include the full Ethernet and IP headers in the output file:

C:\Program Files\Ethereal>editcap -v -s 35 capture capture_out File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed

The next example uses editcap to translate input capture file called capture to the output capture file called capture_out with an encapsulation type of IEEE 802.11 Wireless LAN:

C:\Program Files\Ethereal>editcap -v -T ieee-802-11 capture capture_out File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed


 < Day Day Up > 


Previous page
Table of content
Next page
Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress
BUY ON AMAZON
CompTIA Project+ Study Guide: Exam PK0-003
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Postfix: The Definitive Guide
Cisco IOS Cookbook (Cookbooks (OReilly))
Web Systems Design and Online Consumer Behavior
Quantitative Methods in Project Management
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy