Monday, January 23, 2012

Editcap Guide: 11 Examples To Handle Network Packet Dumps Effectively

Editcap utility is used to select or remove specific packets from dump file and translate them into a given format. Editcap does not perform packet captures like ethereal. Instead, it operates on the captured packets and writes some of the required packets into another file. We can pass various options to editcap to get our preferred packets.

In this article, let us review 11 practical examples on how-to use editcap to handle the packet dumps effectively.
Primary Purpose of editcap
Following are the main reason to use editcap command.
  • Divide a dump file into multiple files.
  • Select only the required packets.
  • Translate the capture file from one format to another.
  • Ability to read from a compressed dump file.
  • Make the job easier for network analyzer tool by loading only selective packets, instead of loading whole dump.
  • All feature results in less time consumption when processing or analyzing packets.
Let us assume the scenario where you have to analyze only some specific packet types in a huge dump file. In this situation, we cant use the network packet analyzer (wireshark or ethereal) to load the huge dump file in a single shoh, as it will be a CPU intensive process and the system may hang. Editicap utility makes the job easier by giving only relevant packets, so it could be loaded by network analyzer tool in quick time.
editcap is available in the wireshark package. Make sure wireshark/ethereal package is installed to use the editcap.
 11 Practical Examples Of edicap Usage

Example 1: Discard set of packets from the beginning of input_dump file

The output_dump file will contain all packets except the first 10 packets.
# editcap -v input_dump output_dump 1-10

Example 2: Discard set of packets from the middle of input_dump file

The output_dump file will contain all packets except packets from 200 to 210.
# editcap -v input_dump output_dump 200-210

Example 3: Select multiple range of packets (from beginning and middle)

The output_dump file will contain first 10 packets and packets from 100 and 200.
# editcap -r  -v input_dump output_dump 1-10  100-200

Example 4: Change the encapsulation type of the capture file using option -T

By default the encapsulation type of the dump file is ether. The example below, translates the capture file into ieee-802-11-bsd format
# editcap -v -T  ieee-802-11-radiotap input_dump output_dump

Example 5: Process the compressed input_dump files

editcap automatically detects the compressed capture file formats. Currently it supports for the gzip format. In the example below, it takes packets from the compressed input file and writes the first 10 packets and the packets in-between 100 and 200 into the output_dump file.
# editcap -r -v input_dump.gz output_dump 1-10 100-200

Example 6: Extract packets between a specific timeperiod using option -A and -B

This example create the output_dump, which contains the packets that are captured between the time mentioned in option A and the time mentioned in option B.
# editcap -v -A "2009-02-11 11:26:30" -B "2009-02-11 11:27:00"  input_dump output_dump

Example 7: Change packet’s timestamp (reduce or advance) using option -t

To advances the timestamp of packets to one hour.
# editcap -t 3600 input_dump output_dump
To reduces the timestamp of packets to 30 minutes,
# editcap -t -1800 input_dump output_dump

Example 8: Remove duplicate packets from the output_dump file using option -d

The example below looks back the previous frames to find the duplication. Finally it gives the dump which does not contain duplication.
# editcap -v -d input_dump output_dump

Example 9: Truncate the packets to the specific length using option -s

Produces the ouptut_dump file with packets length limited to 100. This can be very helpful under lot of situations. For example, you can use this method if you want to get only the IP layer of all the packets and does not require other layer.
# editcap -s 100 -v -A "2009-02-11 11:26:30" -B "2009-02-11 11:27:00"  input_dump.gz output_dump

Example 10: Divide input_dump file into multiple files using option -c

Divide the single dump into multiple file and each contains specified number of packets.
# editcap -v -c 1000 input_dump output
If the input_dump contains 5000 packets, editcap will generate the following 5 different output files.

Example 11: Remove certain bytes from the bottom of all packets using option -C

This example removes 10 bytes from every packets and writes into the output file. You can confirm this, by viewing the output file in wireshark, the frame layer of every packet will show “50 bytes bytes on wire, 40 bytes captured” (here the actual size of a packet is 50 bytes).
# editcap -C 10 input_dump output