editcap

editcap [options] [packet # ...]

-i
    Set the increment between timestamped packets to a specified number of seconds.

-A
    Only copy packets with a timestamp after (or equal to) the given time.

-B
    Only copy packets with a timestamp before (or equal to) the given time.

-c
    Split the capture into multiple files each containing 'packets' number of packets.

-F
    Set the file format of the output capture file.

-r
    Reverse the packet order in the output file.

-s
    Truncate packet data to a maximum of snaplen bytes.

-t
    Adjust the timestamp of packets by adding a specified number of seconds.


    The input capture file.


    The output capture file.

[packet # ...]
    List of specific packet numbers to include in the output file.

The editcap command is a powerful tool used for editing and manipulating packet capture files, typically in pcap or pcapng format. It allows you to perform various operations such as extracting specific packets, trimming captures, anonymizing data, changing packet headers, and more. editcap is particularly useful for preparing capture files for analysis, filtering out irrelevant data, or redacting sensitive information before sharing them.
It supports multiple input and output file formats, offering flexibility in handling different capture scenarios. editcap doesn't modify the original capture file but creates a new one with the desired modifications. This makes it safe to use for preserving the integrity of your original data. It is an essential tool for network administrators, security analysts, and anyone working with packet capture data. It can split large capture files into smaller files, which can be useful for processing with other tools that have file size limitations.

editcap can be memory intensive when dealing with very large capture files. Ensure you have sufficient system resources available.

editcap can be used to extract specific packets based on their packet number. This is useful when you want to isolate a specific conversation or event from a larger capture file.

While not a dedicated anonymization tool, editcap's ability to truncate packet data (-s option) can be used to remove payload data, partially anonymizing a capture file. Dedicated anonymization tools are recommended for complete anonymization.

editcap is a part of the Wireshark suite of tools, and its development history is tied to Wireshark's. It has evolved over time to support new capture file formats, additional manipulation capabilities, and performance improvements. The tool has become a standard utility for network analysis and security professionals working with packet captures.

tshark(1), tcpdump(1), mergecap(1)