editcap

editcap [options] [infile ...] [outfile]

-A
    Only use packets present after specified time (relative to first packet).

-B
    Only use packets present before specified time.

-C
    Cut captured packets to specified snap length.

-D
    Maximum capture duration before closing current file.

-E
    Adjust packet timestamps by specified error value.

-F
    Set output file type (e.g., pcap, pcapng).

-H
    Set pcapng file header length.

-I
    Ignore packet errors during processing.

-L
    Adjust timestamps using local clock correction.

-V
    Print version information.

-a
    Split files after specified time interval.

-b
    Split files based on duration.

-c
    Split output into files with specified packet count each.

-h
    Display help.

-i
    Fix minor timestamp issues.

-l
    Set output link-layer header type.

-o
    Change time stamp offset.

-r
    Rotate dump files on size/time triggers.

-s
    Truncate packets to snap length.

-t
    Adjust all timestamps by specified seconds.

editcap is a versatile command-line utility from the Wireshark suite designed to read, edit, and write network packet capture files in formats like pcap and pcapng. It supports splitting large captures into smaller files based on packet count or time intervals, merging multiple files, adjusting packet timestamps, truncating packet payloads to a specified snap length, changing link-layer header types, and converting between file formats. Users can fix minor capture errors, ignore corrupt packets, or apply time offsets for synchronization. Ideal for preprocessing captures before analysis with tools like tshark or Wireshark, it processes files efficiently without requiring a GUI, making it suitable for scripts and automation in network forensics, performance tuning, and debugging.

Key capabilities include rotation of output files, autostop conditions based on duration or file size, and precise control over headers and offsets. It handles multiple input files and can produce a single output or multiple rotated dumps.

May alter packet integrity if options like truncation or time adjustment are misused. Limited support for exotic file formats; test on copies. Ignores packets it can't parse.

Split large trace: editcap -c 10000 large.pcap split-%d.pcap
Truncate: editcap -s 1500 input.pcap output.pcap

Supports pcap, pcapng, 5views, etc. Use -F to specify output.

Developed as part of Ethereal (1998), renamed to Wireshark in 2006. editcap evolved with pcapng support in Wireshark 1.8 (2012), enhanced error handling and rotation in later versions.

mergecap(1), tshark(1), tcpdump(1), capinfos(1)