editcap.exe returns "File mycapturefile.pcapng is a Wireshark/... - pcapng capture file"

asked 2022-07-21 02:39:39 +0000

hpavon
1 ●2

updated 2022-07-21 23:52:39 +0000

I'm trying to split a huge capture into 1 hour files like this:

"C:\Program Files\Wireshark\editcap.exe" -v -r -i 3600 myhugecapture.pcapng splits

Where "myhugecapture.pcapng" is the input and "splits" is the name that I want for the outputs.

All I get is this message:

File mycapturefile.pcapng is a Wireshark/... - pcapng capture file.

And a 200 bytes "splits" output file that I don't know what it is

edit retag flag offensive close merge delete

Comments

Why is the -r option being used?

editcap man page:

-r Reverse the packet selection. Causes the packets whose packet numbers are specified on the command line to be written to the output capture file, instead of discarding them.

The documentation - man page and usage output - could use some reconciling. Also I wonder if there shouldn't be an error/warning is -r is used without the "An optional list of packet numbers ..." that is mentioned in the man page.

Chuckc ( 2022-07-21 03:49:12 +0000 )edit

Also I wonder if there shouldn't be an error/warning is -r is used without the "An optional list of packet numbers ..."

I don't wonder - that should definitely be an error.

Guy Harris ( 2022-07-21 21:32:38 +0000 )edit

Right @Chuckc. I knew there was something wrong in my command. My question was more about the output message. I still don't know what means nor I found any useful info googling it. I just hope someone else finds this post and helps despite my mistake with -r param.

What i read in DOS cmd was

Packet selection:
  -r                     keep the selected packets; default is to delete them.

As I didn't really know what I was doing and I read "keep" and "delete" my thought was ok, I don't want to screw my whole weekend capture file so "keep" is something that sounds good in any case.

Thank you all and excuse my clumsiness

hpavon ( 2022-07-21 23:39:02 +0000 )edit

This is from Ubuntu in WSL on Windows 10. file command is available on most *nix:

220721_editcap_r_option$ file *
200824_arp_PHS.pcapng:       pcap-ng capture file - version 1.0
splits:                      pcap-ng capture file - version 1.0
splits_00000_20200824103940: pcap-ng capture file - version 1.0
splits_00001_20200824103941: pcap-ng capture file - version 1.0

Chuckc ( 2022-07-22 00:53:03 +0000 )edit

This is from Ubuntu in WSL on Windows 10. file command is available on most *nix:

220721_editcap_r_option$ file *
200824_arp_PHS.pcapng:       pcap-ng capture file - version 1.0
splits:                      pcap-ng capture file - version 1.0
splits_00000_20200824103940: pcap-ng capture file - version 1.0
splits_00001_20200824103941: pcap-ng capture file - version 1.0

Chuckc ( 2022-07-22 00:53:11 +0000 )edit

see more comments

0

answered 2022-07-21 20:37:29 +0000

Guy Harris
19890 ●3 ●659 ●207

And a 200 bytes "splits" output file with some garbled content:

If by "garbled content" you mean that if you try to print the raw contents of the file directly on your terminal/terminal window/console, e.g. with cat, more, or less on a UN*X, or with type on Windows, or try to read it in a text editor, e.g. with vi, emacs, or some GUI text editor such as, on windows, Notepad or WordPad, It's "garbled" because it's not a text file and you shouldn't expect anything sensible if you try to print it out or edit/view it as if it were a text file. If you want to see its contents, use programs such as Wireshark or TShark or tcpdump.

You'll see the same sort of "garbled" content in your myhugecapture.pcapng file, as it's not a text file, either (as Editcap reports, for some unknown reason, it's a pcapng file - not even remotely close to plain text, just as pcap files are also not even remotely close to plain text.

edit flag offensive delete link

Comments

For the sake of clarity and to avoid digression I've removed the part you mention from the original post:

And a 200 bytes "splits" output file with some garbled content:

È   M<+   ÿÿÿÿÿÿÿÿ 6 Intel(R) Xeon(R) Gold 6242 CPU @ 2.80GHz (with SSE4.2)   . 64-bit Windows Server 2016 (1607), build 14393   2 Dumpcap (Wireshark) 3.4.9 (v3.4.9-0-g365e236f5efe)      È

When I see all those control characters in a text editor I assume that it is a binary file. Thanks for making this point all that clear and pardon my inaccurate English.

hpavon ( 2022-07-21 23:49:44 +0000 )edit

You still say

And a 200 bytes "splits" output file that I don't know what it is

and the answer is still the same - it's a pcapng file, so you now know what it is.

In more detail, it's a pcapng file containing all the packets that editcap selected to write to the file; given that you specified the -r flag, which means "remove all packets except for the ones specified", and you didn't specify any packets, editcap didn't select any packets to write to the file, so it's an empty pcapng file.

Guy Harris ( 2022-07-23 09:58:51 +0000 )edit

add a comment

0

answered 2022-07-21 21:19:07 +0000