editcap Cheat Sheet
Overview
editcap is a command-line packet capture file editor included with the Wireshark suite. It reads a capture file and writes some or all packets to a new file, optionally applying transformations such as time-shifting, packet truncation, duplicate removal, format conversion, and packet selection by number or time range. Unlike Wireshark’s GUI which requires loading entire files into memory, editcap processes files sequentially and can handle captures of any size efficiently.
editcap is essential for preparing capture files for analysis, forensic investigation, or sharing. Common workflows include extracting relevant time windows from large captures, anonymizing data by truncating packet payloads, splitting enormous captures into manageable chunks, removing duplicate packets caused by capture taps, converting between pcap and pcapng formats, and adjusting timestamps to correct clock synchronization issues. It works with all file formats supported by Wireshark.
Installation
# Installed with Wireshark/TShark
# Ubuntu/Debian
sudo apt update
sudo apt install tshark
# CentOS/RHEL
sudo yum install wireshark-cli
# macOS
brew install wireshark
# Verify
editcap --versionBasic Usage
# Copy a capture file (no modifications)
editcap input.pcap output.pcap
# Convert pcap to pcapng
editcap -F pcapng input.pcap output.pcapng
# Convert pcapng to pcap
editcap -F pcap input.pcapng output.pcap
# List available output formats
editcap -FPacket Selection
By Packet Number
# Extract specific packets (1-indexed)
editcap input.pcap output.pcap 1 5 10 15 20
# Extract packets 1, 5, 10, 15, 20 (inverted: keeps only these)
editcap -r input.pcap output.pcap 1 5 10 15 20
# Extract packet range
editcap -r input.pcap output.pcap 100-200
# Remove specific packets (default behavior without -r)
editcap input.pcap output.pcap 1-10
# Removes packets 1-10, keeps the rest
# Keep only packets 500-1000
editcap -r input.pcap output.pcap 500-1000
# Multiple ranges
editcap -r input.pcap output.pcap 1-100 500-600 900-1000By Time Range
# Extract packets within time window
editcap -A "2024-01-15 10:00:00" -B "2024-01-15 11:00:00" \
input.pcap output.pcap
# Extract from start time onward
editcap -A "2024-01-15 10:00:00" input.pcap output.pcap
# Extract up to end time
editcap -B "2024-01-15 11:00:00" input.pcap output.pcap
# Time with sub-second precision
editcap -A "2024-01-15 10:30:15.123456" -B "2024-01-15 10:30:20.654321" \
input.pcap output.pcap
# Extract relative time window (seconds from start)
# First check start time with capinfos, then calculateFile Splitting
# Split by packet count (100,000 packets per file)
editcap -c 100000 input.pcap output_
# Split by file size (100MB per file)
# Not directly supported - use packet count to approximate
# Split by time interval (60 seconds per file)
editcap -i 60 input.pcap output_
# Split by time interval (300 seconds = 5 minutes)
editcap -i 300 input.pcap output_
# Output files will be named:
# output_00000_20240115100000.pcap
# output_00001_20240115100100.pcap
# etc.Packet Modification
Truncation
# Truncate packets to 64 bytes (snap length)
editcap -s 64 input.pcap output.pcap
# Truncate to ethernet header + IP header (remove payload)
editcap -s 54 input.pcap output.pcap
# Truncate to 128 bytes (keep headers, minimal payload)
editcap -s 128 input.pcap output.pcapTime Shifting
# Shift all timestamps forward by 3600 seconds (1 hour)
editcap -t 3600 input.pcap output.pcap
# Shift timestamps backward by 30 minutes
editcap -t -1800 input.pcap output.pcap
# Shift by fractional seconds
editcap -t 0.5 input.pcap output.pcap
# Adjust timestamps to start at specific time
editcap -t -$(date -d "2024-01-15 10:00:00" +%s) input.pcap output.pcapDuplicate Removal
# Remove duplicate packets (exact match within 5-packet window)
editcap -d input.pcap output.pcap
# Remove duplicates within specified time window
editcap -D 0.001 input.pcap output.pcap # 1ms window
# Remove duplicates with larger window
editcap -D 1.0 input.pcap output.pcap # 1 second window
# Remove duplicates by MD5 hash (ignores timestamps)
editcap -w 0.5 input.pcap output.pcapError Injection
# Randomly corrupt packet bytes (for testing)
editcap --inject-secrets tls,keys.txt input.pcap output.pcap
# Set error probability (1 in 1000 bytes)
editcap -E 0.001 input.pcap output.pcap
# Set error probability (1 in 100 bytes - heavy corruption)
editcap -E 0.01 input.pcap output.pcapFormat Conversion
Supported Output Formats
| Format Flag | Description |
|---|---|
pcap | Wireshark/tcpdump pcap |
pcapng | Wireshark pcapng (default) |
5views | InfoVista 5View |
commview | TamoSoft CommView |
erf | Endace ERF |
k12text | K12 text file |
lanalyzer | Novell LANalyzer |
logcat-brief | Android logcat brief |
netmon1 | Microsoft NetMon 1.x |
netmon2 | Microsoft NetMon 2.x |
ngsniffer | Sniffer (DOS) |
ngwsniffer_1_1 | NetXray/Sniffer Windows |
nokiapcap | Nokia pcap |
# List all available formats
editcap -F
# Convert to specific format
editcap -F pcap input.pcapng output.pcap
editcap -F netmon2 input.pcap output.cap
editcap -F erf input.pcap output.erfEncapsulation Conversion
# List available encapsulation types
editcap -T
# Change encapsulation type
editcap -T ether input.pcap output.pcap
editcap -T rawip input.pcap output.pcap
editcap -T linux-sll input.pcap output.pcapAdvanced Usage
Chaining with Other Tools
# Extract time window, then split into chunks
editcap -A "2024-01-15 10:00:00" -B "2024-01-15 12:00:00" \
full_capture.pcap time_filtered.pcap
editcap -c 50000 time_filtered.pcap chunk_
# Remove duplicates then truncate for sharing
editcap -d input.pcap deduped.pcap
editcap -s 128 deduped.pcap sanitized.pcap
# Pipeline with tshark
tshark -r input.pcap -w filtered.pcap -Y "http"
editcap -s 256 filtered.pcap truncated_http.pcap
# Merge files then deduplicate
mergecap -w merged.pcap file1.pcap file2.pcap
editcap -d merged.pcap clean_merged.pcapAnonymization Workflow
# Step 1: Truncate payloads
editcap -s 64 original.pcap truncated.pcap
# Step 2: Use tcprewrite to randomize IPs
tcpprep --auto=bridge --pcap=truncated.pcap --cachefile=cache.prep
tcprewrite --seed=42 --cachefile=cache.prep \
-i truncated.pcap -o anonymized.pcap
# Verify
capinfos anonymized.pcap
tcpdump -r anonymized.pcap -n -c 5Batch Processing
# Convert all pcap files to pcapng
for f in *.pcap; do
editcap -F pcapng "$f" "${f%.pcap}.pcapng"
done
# Split all captures by 1-hour intervals
for f in *.pcap; do
mkdir -p "split_${f%.pcap}"
editcap -i 3600 "$f" "split_${f%.pcap}/part_"
done
# Remove duplicates from all files
for f in *.pcap; do
editcap -d "$f" "deduped_${f}"
echo "$f: $(capinfos -c "$f" | grep packets) -> $(capinfos -c "deduped_${f}" | grep packets)"
done
# Truncate all captures for sharing
for f in *.pcap; do
editcap -s 128 "$f" "truncated_${f}"
doneTLS Key Injection
# Inject TLS session keys into pcapng for decryption
editcap --inject-secrets tls,sslkeylog.txt \
encrypted.pcap decryptable.pcapng
# The output pcapng contains embedded keys
# Open in Wireshark for automatic TLS decryptionConfiguration
Timestamp Precision
# Set output timestamp precision
editcap --capture-comment "Processed on $(date)" input.pcap output.pcapng
# pcapng supports nanosecond precision (default)
# pcap supports microsecond precision onlyComment and Annotation
# Add capture comment (pcapng only)
editcap --capture-comment "Captured at site A, interface eth0" \
input.pcap output.pcapng
# Add multiple comments
editcap \
--capture-comment "Analyst: John Doe" \
--capture-comment "Case: INC-2024-001" \
input.pcap output.pcapngTroubleshooting
| Issue | Solution |
|---|---|
| ”not a capture file” error | File is corrupted; try pcapfix to repair |
| Output file is empty | Check packet range or time window is valid |
| Time shift gives wrong results | Verify timezone, use capinfos to check times |
| Can’t convert encapsulation | Not all conversions are valid between formats |
| File too large to process | Split first with -c, then process chunks |
| Duplicate removal missed dupes | Increase time window with -D |
| Format not available | Update Wireshark/tshark to latest version |
| Timestamps lost precision | Converting pcapng->pcap loses nanosecond data |
Verification
# Verify output file
capinfos output.pcap
# Compare input and output
echo "Input:" && capinfos -cuae input.pcap
echo "Output:" && capinfos -cuae output.pcap
# Spot-check packets
tcpdump -r output.pcap -n -c 10
# Verify no duplicates remain
editcap -d output.pcap /dev/null 2>&1 | grep -i duplicate