Support User Manuals

Lucent Technologies Ethereal Network Card User Manual

Open as PDF

of 199

C.5. editcap: Edit capture files

Included with Ethereal is a small utility called editcap, which is a command-line utility for working

with capture files. Its main function is to remove packets from capture files, but it can also be used

to convert capture files from one format to another, as well as print information about capture files.

Example C.2. Help information available from editcap

$ editcap.exe -h

Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-E <probability>]

[-F <capture type>]> [-s <snaplen>] [-t <time adjustment>]

<infile> <outfile> [ <record#>[-<record#>] ... ]

where

-E <probability> specifies the probability (between 0 and 1)

that a particular byte will will have an error.

-F <capture type> specifies the capture file type to write:

libpcap - libpcap (tcpdump, Ethereal, etc.)

rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)

suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)

modlibpcap - modified libpcap (tcpdump)

nokialibpcap - Nokia libpcap (tcpdump)

lanalyzer - Novell LANalyzer

ngsniffer - Network Associates Sniffer (DOS-based)

snoop - Sun snoop

netmon1 - Microsoft Network Monitor 1.x

netmon2 - Microsoft Network Monitor 2.x

ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1

ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x

nettl - HP-UX nettl trace

visual - Visual Networks traffic capture

5views - Accellent 5Views capture

niobserverv9 - Network Instruments Observer version 9

default is libpcap

-h produces this help listing.

-r specifies that the records specified should be kept, not deleted,

default is to delete

-s <snaplen> specifies that packets should be truncated to

<snaplen> bytes of data

-t <time adjustment> specifies the time adjustment

to be applied to selected packets

-T <encap type> specifies the encapsulation type to use:

ether - Ethernet

tr - Token Ring

slip - SLIP

ppp - PPP

fddi - FDDI

fddi-swapped - FDDI with bit-swapped MAC addresses

rawip - Raw IP

arcnet - ARCNET

arcnet_linux - Linux ARCNET

atm-rfc1483 - RFC 1483 ATM

linux-atm-clip - Linux ATM CLIP

lapb - LAPB

atm-pdus - ATM PDUs

atm-pdus-untruncated - ATM PDUs - untruncated

null - NULL

ascend - Lucent/Ascend access equipment

isdn - ISDN

ip-over-fc - RFC 2625 IP-over-Fibre Channel

ppp-with-direction - PPP with Directional Info

ieee-802-11 - IEEE 802.11 Wireless LAN

prism - IEEE 802.11 plus Prism II monitor mode header

ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information

Related command line tools

167

previous next