.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.14
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sh \" Subsection heading
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  | will give a
.\" real vertical bar.  \*(C+ will give a nicer C++.  Capital omega is used to
.\" do unbreakable dashes and therefore won't be available.  \*(C` and \*(C'
.\" expand to `' in nroff, nothing in troff, for use with C<>.
.tr \(*W-|\(bv\*(Tr
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
'br\}
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.if \nF \{\
.    de IX
.    tm Index:\\$1\t\\n%\t"\\$2"
..
.    nr % 0
.    rr F
.\}
.\"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.hy 0
.if n .na
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EDITCAP 1"
.TH EDITCAP 1 "2009-01-15" "1.1.2" "The Wireshark Network Analyzer"
.SH "NAME"
editcap \- Edit and/or translate the format of capture files
.SH "SYNOPSYS"
.IX Header "SYNOPSYS"
\&\fBeditcap\fR
[\ \fB\-c\fR\ <packets\ per\ file>\ ]
[\ \fB\-C\fR\ <choplen>\ ]
[\ \fB\-d\fR\ ]
[\ \fB\-E\fR\ <error\ probability>\ ]
[\ \fB\-F\fR\ <file\ format>\ ]
[\ \fB\-A\fR\ <start\ time>\ ]
[\ \fB\-B\fR\ <stop\ time>\ ]
[\ \fB\-h\fR\ ]
[\ \fB\-r\fR\ ]
[\ \fB\-s\fR\ <snaplen>\ ]
[\ \fB\-t\fR\ <time\ adjustment>\ ]
[\ \fB\-T\fR\ <encapsulation\ type>\ ]
[\ \fB\-v\fR\ ]
\&\fIinfile\fR
\&\fIoutfile\fR
[\ \fIpacket#\fR[\-\fIpacket#\fR]\ ...\ ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEditcap\fR is a program that reads some or all of the captured packets from the 
\&\fIinfile\fR, optionally converts them in various ways and writes the 
resulting packets to the capture \fIoutfile\fR (or outfiles). 
.PP
By default, it reads all packets from the \fIinfile\fR and writes them to the 
\&\fIoutfile\fR in libpcap file format.
.PP
A list of packet numbers can be specified on the command line; ranges of 
packet numbers can be specified as \fIstart\fR\-\fIend\fR, referring to all packets 
from \fIstart\fR to \fIend\fR.
The selected packets with those numbers will \fInot\fR be written to the 
capture file. 
If the \fB\-r\fR flag is specified, the whole packet selection is reversed; 
in that case \fIonly\fR the selected packets will be written to the capture file.
.PP
\&\fBEditcap\fR is able to detect, read and write the same capture files that 
are supported by \fBWireshark\fR.
The input file doesn't need a specific filename extension; the file 
format and an optional gzip compression will be automatically detected.
Near the beginning of the \s-1DESCRIPTION\s0 section of \fIwireshark\fR\|(1) or
<http://www.wireshark.org/docs/man\-pages/wireshark.html>
is a detailed description of the way \fBWireshark\fR handles this, which is
the same way \fBEditcap\fR handles this.
.PP
\&\fBEditcap\fR can write the file in several output formats. The \fB\-F\fR
flag can be used to specify the format in which to write the capture
file, \fBeditcap \-F\fR provides a list of the available output formats.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\-c  <packets per file>" 4
.IX Item "-c  <packets per file>"
Sets the maximum number of packets per output file. Each output file will 
be created with a suffix \-nnnnn, starting with 00000. If the specified 
number of packets are written to the output file, the next output file is 
opened. The default is to use a single output file.
.IP "\-C  <choplen>" 4
.IX Item "-C  <choplen>"
Sets the chop length to use when writing the packet data.
Each packet is chopped at the packet end by a few <choplen> bytes of data.
.Sp
This is useful in the rare case that the conversion between two file 
formats leaves some random bytes at the end of each packet.
.IP "\-d" 4
.IX Item "-d"
Attempts to remove duplicate packets.  The length and \s-1MD5\s0 sum of the 
current packet are compared to the previous four packets.  If a match 
is found, the packet is skipped.
.IP "\-E  <error probability>" 4
.IX Item "-E  <error probability>"
Sets the probabilty that bytes in the output file are randomly changed.
\&\fBEditcap\fR uses that probability (between 0.0 and 1.0 inclusive) 
to apply errors to each data byte in the file.  For instance, a 
probability of 0.02 means that each byte has a 2% chance of having an error.
.Sp
This option is meant to be used for fuzz-testing protocol dissectors.
.IP "\-F  <file format>" 4
.IX Item "-F  <file format>"
Sets the file format of the output capture file.
\&\fBEditcap\fR can write the file in several formats, \fBeditcap \-F\fR 
provides a list of the available output formats. The default
is the \fBlibpcap\fR format.
.IP "\-A  <start time>" 4
.IX Item "-A  <start time>"
Saves only the packets whose timestamp is on or after start time.
The time is given in the following format YYYY-MM-DD \s-1HH:MM:SS\s0
.IP "\-B  <stop time>" 4
.IX Item "-B  <stop time>"
Saves only the packets whose timestamp is on or before stop time.
The time is given in the following format YYYY-MM-DD \s-1HH:MM:SS\s0
.IP "\-h" 4
.IX Item "-h"
Prints the version and options and exits.
.IP "\-r" 4
.IX Item "-r"
Reverse the packet selection.
Causes the packets whose packet numbers are specified on the command
line to be written to the output capture file, instead of discarding them.
.IP "\-s  <snaplen>" 4
.IX Item "-s  <snaplen>"
Sets the snapshot length to use when writing the data.
If the \fB\-s\fR flag is used to specify a snapshot length, packets in the
input file with more captured data than the specified snapshot length
will have only the amount of data specified by the snapshot length
written to the output file.  
.Sp
This may be useful if the program that is
to read the output file cannot handle packets larger than a certain size
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
appear to reject Ethernet packets larger than the standard Ethernet \s-1MTU\s0,
making them incapable of handling gigabit Ethernet captures if jumbo
packets were used).
.IP "\-t  <time adjustment>" 4
.IX Item "-t  <time adjustment>"
Sets the time adjustment to use on selected packets.
If the \fB\-t\fR flag is used to specify a time adjustment, the specified
adjustment will be applied to all selected packets in the capture file.
The adjustment is specified as [\-]\fIseconds\fR[\fI.fractional seconds\fR].
For example, \fB\-t\fR 3600 advances the timestamp on selected packets by one
hour while \fB\-t\fR \-0.5 reduces the timestamp on selected packets by
one-half second.  
.Sp
This feature is useful when synchronizing dumps
collected on different machines where the time difference between the
two machines is known or can be estimated.
.IP "\-T  <encapsulation type>" 4
.IX Item "-T  <encapsulation type>"
Sets the packet encapsulation type of the output capture file.
If the \fB\-T\fR flag is used to specify an encapsulation type, the
encapsulation type of the output capture file will be forced to the
specified type. 
\&\fBeditcap \-T\fR provides a list of the available types. The default
type is the one appropriate to the encapsulation type of the input 
capture file.
.Sp
Note: this merely
forces the encapsulation type of the output file to be the specified
type; the packet headers of the packets will not be translated from the
encapsulation type of the input capture file to the specified
encapsulation type (for example, it will not translate an Ethernet
capture to an \s-1FDDI\s0 capture if an Ethernet capture is read and '\fB\-T
fddi\fR' is specified). If you need to remove/add headers from/to a
packet, you will need \fIod\fR\|(1)/\fItext2pcap\fR\|(1).
.IP "\-v" 4
.IX Item "-v"
Causes \fBeditcap\fR to print verbose messages while it's working.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To see more detailed description of the options use:
.PP
.Vb 1
\&    editcap -h
.Ve
.PP
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
.PP
.Vb 1
\&    editcap -s 64 -F snoop capture.pcap shortcapture.snoop
.Ve
.PP
To delete packet 1000 from the capture file use:
.PP
.Vb 1
\&    editcap capture.pcap sans1000.pcap 1000
.Ve
.PP
To limit a capture file to packets from number 200 to 750 (inclusive) use:
.PP
.Vb 1
\&    editcap -r capture.pcap small.pcap 200-750
.Ve
.PP
To get all packets from number 1\-500 (inclusive) use:
.PP
.Vb 1
\&    editcap -r capture.pcap 500.pcap 1-500
.Ve
.PP
or
.PP
.Vb 1
\&    editcap capture.pcap 500.pcap 501-9999999
.Ve
.PP
To filter out packets 10 to 20 and 30 to 40 into a new file use:
.PP
.Vb 1
\&    editcap capture.pcap selection.pcap 10-20 30-40
.Ve
.PP
To introduce 5% random errors in a capture file use:
.Sp
.Vb 1
\&  editcap -E 0.05 capture.pcap capture_error.pcap
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fItcpdump\fR\|(8), \fIpcap\fR\|(3), \fIwireshark\fR\|(1), \fItshark\fR\|(1), \fImergecap\fR\|(1), \fIdumpcap\fR\|(1),
\&\fIcapinfos\fR\|(1), \fItext2pcap\fR\|(1), \fIod\fR\|(1)
.SH "NOTES"
.IX Header "NOTES"
\&\fBEditcap\fR is part of the \fBWireshark\fR distribution.  The latest version
of \fBWireshark\fR can be found at <http://www.wireshark.org>.
.PP
\&\s-1HTML\s0 versions of the Wireshark project man pages are available at:
<http://www.wireshark.org/docs/man\-pages>.
.SH "AUTHORS"
.IX Header "AUTHORS"
.Vb 3
\&  Original Author
\&  -------- ------
\&  Richard Sharpe           <sharpe[AT]ns.aus.com>
.Ve
.PP
.Vb 4
\&  Contributors
\&  ------------
\&  Guy Harris               <guy[AT]alum.mit.edu>
\&  Ulf Lamping              <ulf.lamping[AT]web.de>
.Ve