editcap

editcap [options] <infile> <outfile>

Common options include:
editcap [ -a <time> ] [ -b <time> ] [ -A <start_packet> ] [ -B <end_packet> ]
[ -C <chunksize> ] [ -D <duptime> ] [ -E <nevent> ] [ -F <fileformat> ]
[ -i <interval> ] [ -n <num> ] [ -o <offset> ] [ -r ] [ -s <snaplen> ]
[ -S <time_adjust> ] [ -t <time_adjustment> ] [ -T <encaptype> ] [ -v ]
<infile> <outfile>

-A <start_packet>
    Include packets from and including this packet number.

-B <end_packet>
    Include packets up to and including this packet number.

-C <chunksize>
    Split the output file into multiple files, each containing <chunksize> packets.

-D <duptime>
    Remove duplicate packets within <duptime> seconds tolerance.

-E <nevent>
    Add a pseudo-event to the file (e.g., NTP time adjustments).

-F <fileformat>
    Set the output file format (e.g., pcap, pcapng). Use -L to list formats.

-h
    Display the help message and exit.

-i <interval>
    Split the output file into multiple files based on time intervals in seconds.

-L
    List all available capture file formats supported for output.

-n <num>
    Process only the first <num> packets from the input file.

-o <offset>
    Start reading packets from the specified byte offset in the input file.

-p
    Don't write packets to the output file; useful with -v for statistics.

-r
    Reorder packets in the output file by their timestamp.

-s <snaplen>
    Truncate (slice) each packet to a maximum of <snaplen> bytes.

-S <time_adjust>
    Shift all packet timestamps by <time_adjust> seconds (e.g., +1.5 or -2.0).

-t <time_adjustment>
    Adjust packet timestamps relative to the first packet's timestamp. Sets first packet's timestamp to <time_adjustment>.

-T <encaptype>
    Set the output encapsulation type (e.g., ETHERNET, NULL). Use -L to list types.

-v
    Enable verbose output, showing progress and additional information.

-a <time>
    Selects packets whose timestamp is greater than or equal to <time>.

-b <time>
    Selects packets whose timestamp is less than or equal to <time>.

The editcap command is a powerful command-line utility from the Wireshark suite, designed for manipulating and transforming network packet capture files. It enables users to read an existing capture file (e.g., .pcap, .pcapng), apply various modifications, and then write the altered data to a new output file.

Its primary functions include removing specific packets by number or time range, selecting a subset of packets, truncating packet payloads for privacy or size reduction, reordering packets based on their timestamps, and adjusting timestamps to correct synchronization issues. editcap can also be used to remove duplicate packets, split large files into smaller chunks, or limit the number of packets processed.

This tool is invaluable for tasks such as data anonymization, preparing specific datasets for focused analysis, reducing file sizes for easier sharing, or rectifying common issues found in raw capture files. It complements other Wireshark tools like tshark and dumpcap by focusing specifically on offline capture file post-processing.

editcap operates exclusively on existing capture files, making it unsuitable for live capture manipulation. All specified modifications are applied sequentially, and it's crucial to note that this tool performs 'destructive' editing; always work on copies of your original files to prevent data loss.

While powerful for structural changes, it's not designed for complex packet filtering based on protocol fields or content; for such tasks, tshark or tcpdump with appropriate display or capture filters are more suitable. Be cautious when using timestamp adjustment options (-S, -t) as improper use can lead to non-monotonic timestamps, which might affect analysis in other tools.

Some of the most frequent applications for editcap include:
• Splitting excessively large capture files into manageable smaller segments for easier analysis or sharing.
• Anonymizing sensitive data by stripping packet payloads (using -s 0) before sharing captures.
• Extracting specific time ranges or packet number ranges from a large capture for focused investigation.
• Correcting timestamp discrepancies or adjusting all timestamps relative to a common baseline.
• Removing duplicate packets to clean up captures, especially useful in mirrored port scenarios.

editcap supports a wide array of input and output capture file formats, inheriting most capabilities from the underlying Wireshark libraries. Users can specify the desired output format using the -F option, and list available formats with -L.

editcap is an integral component of the Wireshark network protocol analyzer suite, which originated as Ethereal. Its development has paralleled the evolution of Wireshark itself, providing essential command-line capabilities for offline capture file manipulation. It emerged as a dedicated utility to handle common post-processing tasks, complementing dumpcap for live capture and tshark for command-line analysis. Its features have grown to support various capture file formats and address user needs for anonymization, file splitting, and timestamp correction, reflecting its role in the broader ecosystem of network analysis tools.

wireshark(1), tshark(1), dumpcap(1), mergecap(1), text2pcap(1), tcpdump(1)