 | 1 | initial version |
Editcap does not determine that packets are duplicates based on the IP ID. It uses a hash of the packet. So if two packets are between the same IP addresses and both have the same IP ID, but something else--something other than the IP ID--is different, editcap will not see them as duplicates.
Also, editcap only looks within the duplicate window, which by default is 5, meaning the current packet and the previous four packets. So if packet 10 is a duplicate of packet 2, editcap won't see that because packet 2 is not within the four previous packets from packet 10. You can change the size of the duplicate window. You can also change it to be based on time rather than number of packets.
Enter "editcap -h" to see all the options.
