Shulou(Shulou.com)06/01 Report--

This article shows you how to operate the pcap file in Linux, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Editcap and Mergecap

Wireshark, the most popular GUI sniffing tool, actually comes with a very useful set of command-line tools. These include editcap and mergecap. Editcap is a versatile pcap editor that can filter and split pcap files in a variety of ways. Mergecap can merge multiple pcap files into one. This article is based on these Wireshark command line tools.

If you have already installed Wireshark, these tools are already on your system. If it's not already installed, then we'll install the Wireshark command line tool next. It is important to note that on Debian-based distributions we can install only command-line tools without installing Wireshark GUI, but we need to install the entire Wireshark package in Red Hat and its-based distributions.

Debian, Ubuntu or Linux Mint

The code is as follows:

$sudo apt-get install wireshark-common

Fedora, CentOS or RHEL

The code is as follows:

$sudo yum install wireshark

Once the tools are installed, you can start using editca and mergecap.

Pcap file filtering

With editcap, we can filter the contents of the pcap file with many different rules and save the filter results to the new file.

First, filter the pcap file with "start and end time". "- A

And "- B"

Option to filter out packets that arrive during this period (for example, from 2:30 to 2:35). The format of time is "YYYY-MM-DD HH:MM:SS".

The code is as follows:

$editcap-A '2014-12-10 10 11purl 01'-B' 2014-12-10 Vuitton 21V 01' input.pcap output.pcap

You can also extract specified N packages from a file. The following command line extracts 100 packages (from 401 to 500) from the input.pcap file and saves them to output.pcap:

The code is as follows:

$editcap input.pcap output.pcap 401500

Use "- D"

The "(dup-window can be seen as the window size of the comparison, only with the packages within this range) option can extract duplicate packages. Each package is in turn the same as the previous

-1 packet length is compared with the MD5 value, and if there is a match, it will be discarded.

The code is as follows:

$editcap-D 10 input.pcap output.pcap

After traversing 37568 packets, only one packet was repeated in the 10 window and discarded.

You can also set the

Defined as a time interval. Use "- w"

"options, comparison

A bag that arrives within time.

The code is as follows:

$editcap-w 0.5 input.pcap output.pcap

50000 packets were retrieved and 0.5s was used as the repeat window, but no duplicate packages were found.

Split pcap files

Editcap can also play a big role when you need to split a large pcap file into multiple small files.

Split a pcap file into multiple files with the same number of packets

The code is as follows:

$editcap-c

Each file output has the same number of packages to

-named for the form of NNNN.

Split pcap files at time intervals

The code is as follows:

$editcap-I

Merge pcap files

Mergecap is convenient if you want to merge multiple files into one.

When merging multiple files, mergecap by default sorts the internal packets in chronological order.

The code is as follows:

$mergecap-w output.pcap input.pcap input2.pcap [input3.pcap. . .]

If you want to ignore the timestamp and just want to merge the files in the order on the command line, use the-an option.

For example, the following command writes the contents of the input.pcap file to output.pcap and appends the contents of input2.pcap to the end.

The code is as follows:

$mergecap-a-w output.pcap input.pcap input2.pcap

The above is how to manipulate pcap files in Linux. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.