How to operate pcap files under Linux

In this article, I will introduce some tools for manipulating pcap files and how to use them.

Editcap and Mergecap

Wireshark, the most popular GUI sniffing tool, actually comes with a very useful set of command line tools. These include editcap and mergecap. editcap is a versatile pcap editor that can filter and split pcap files in various ways. mergecap can merge multiple pcap files into one. This article is based on these Wireshark command line tools.

If you have already installed Wireshark, these tools are already in your system. If it hasn't been installed yet, let's install the Wireshark command line tool next. It should be noted that on Debian-based distributions, we can install only the command line tool without installing the Wireshark GUI, but in Red Hat and its-based distributions, the entire Wireshark package needs to be installed.
Debian, Ubuntu or Linux Mint

$ sudo apt-get install wireshark-common

Fedora, CentOS or RHEL

$ sudo yum install wireshark

After installing the tools, you can start using editca and mergecap.

pcap file filtering

Through editcap, we can filter the contents of the pcap file according to many different rules and save the filtered results to a new file.

First, filter pcap files based on "start and end time". The " - A and " - B options can filter out packets arriving during this time period (for example, from 2:30 ~ 2:35). The format of the time is "YYYY-MM-DD HH:MM:SS".

$ editcap -A '2014-12-10 10:11:01' -B '2014-12-10 10:21:01' input.pcap output.pcap 

You can also extract specified N packages from a file. The following command line extracts 100 packets (from 401 to 500) from the input.pcap file and saves them to output.pcap:

$ editcap input.pcap output.pcap 401-500

Use the "-D " (dup-window can be regarded as the window size for comparison, only packages within this range are compared) option to extract duplicate packages. Each packet is compared with the length and MD5 value of the -1 packets before it in turn, and if there is a match, it is discarded.

$ editcap -D 10 input.pcap output.pcap

You can also define as a time interval. Use the "-w " option to compare packets arriving within time.

$ editcap -w 0.5 input.pcap output.pcap 

Split pcap file

editcap can also play a big role when you need to split a large pcap file into multiple small files. Split a pcap file into multiple files with the same number of packets

$ editcap -c (packets -per-[file]) (input -pcap-[file])(output -prefix)

Each output file has the same number of packages and is named in the form of -NNNN. Split pcap file by time interval

$ editcap -i (seconds -per-[file]) (input-pcap-[file]) (output-prefix)

Merge pcap files

If you want to merge multiple files into one, mergecap is convenient. When merging multiple files, mergecap sorts the internal data packets in time order by default.

$ mergecap -w output.pcap input.pcap input2.pcap [input3.pcap . . .]

If you want to ignore the timestamp and just want to merge the files in the order on the command line, then use the -a option. For example, the following command will write the contents of the input.pcap file to output.pcap, and append the contents of input2.pcap after it.

$ mergecap -a -w output.pcap input.pcap input2.pcap 

Summarize

In this guide, I demonstrated multiple examples of editcap and mergecap operating pcap files. In addition, there are other related tools, such as reordercap for reordering packets, text2pcap for converting pcap files to text format, pcap-diff for comparing the similarities and differences of pcap files, and so on. These tools and packet injection tools are very useful when performing network intrusion testing and troubleshooting network problems, so it is best to know about them.

---

The above is the detailed content of How to operate pcap files under Linux. For more information, please follow other related articles on the PHP Chinese website!