I am trying to remove duplicate and ignore first 14 bytes of my pcap files. I am using below command:
editcap -w 0.001 -I 14 pcap_file pcap_file_updated
But i am getting below error: editcap: invalid option -- 'I'
When i check the manual page of editcap i can see the "I" option.
My editcap version is: Editcap 1.10.14
How can i ignore first 14 bytes of pcap file??
Presumably you're trying to remove the 14 Ethernet framing bytes from the start of each packet? Well, if that's the case, then as @grahamb mentioned, you you can achieve that using the older version of editcap, but you won't be able to adjust the frame lengths because the version you're using doesn't support the -L option. So, if possible, you should upgrade Wireshark (and thus editcap) to a version that supports the -L option. If you're able to do that, then the syntax you'd probably want, assuming all Ethertypes are IPv4, would be:
editcap -w 0.001 -C 14 -L -T rawip pcap_file pcap_file_updated
NOTE: The -T rawip part is necessary; otherwise the encapsulation would still be Ethernet, but since the Ethernet framing bytes have been stripped away, the resulting output capture file would not be interpreted properly.
If it's not possible for you to upgrade your version of Wireshark, then you will have to resort to other solutions, some more painful than others, such as:
Use tcprewrite. For example (untested):
tcprewrite --strip=14 -i pcap_file -o pcap_file_updated_temp
NOTE: While tcprewrite does support a --dlt=[string] option, it doesn't appear that it supports --dlt=rawip, so you'll likely need to set the encapsulation in a separate step using editcap, for example:
editcap -T rawip pcap_file_updated_temp pcap_file_updated
A more painful solution: File -> Export Packet Dissections -> As Plain Text... -> Packet Format: Packet Bytes (only), File name: pcap_file.txt
This will produce a text file with the bytes of each packet displayed in a format similar to the example shown in the text2pcap man page. For example:
000000 00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00
000010 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00
000020 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20
000030 57 6f 72 6c 64 21
You will then need to write a script to remove the first 14 bytes of each packet and adjust all the offsets accordingly. Using the example above, you'd need to end up with something like this:
000000 45 00
000002 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00
000012 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20
000022 57 6f 72 6c 64 21
Once you have the packets in this format, you can use text2pcap to convert the data back into a pcap file, like so:
text2pcap -l 101 pcap_file.txt pcap_file_updated
NOTE: The -l 101 part is needed for the same reason as -T rawip was needed for the editcapcommand above. For reference, link types are defined at https://www.tcpdump.org/linktypes.html.
Other possibilities?
Write to the author of TraceWrangler asking for an enhancement to be made to this tool that allows the ...
I don't think that will work very well in practice for pcapng files because you can have multiple IDBs. Ideally, one could ask TraceWrangler to remove the Ethernet framing bytes from all packets and TraceWrangler would be smart enough to find all IDBs where the Link Type is LINKTYPE_ETHERNET (1) and then only remove the 14 bytes of Ethernet framing from those Packet Blocks whose Interface ID matched one of those relevant IDBs, but leave all other Packet Blocks alone. Then TraceWrangler should replace those IDBs with new ones for the user-specified Link Type, like LINKTYPE_RAW (101) in this case. If there is more than one IDB with LINKTYPE_ETHERNET, then there should probably be separate LINKTYPE_RAW IDBs for each one rather than consolidating them, so it's still possible to know that packets were captured on different interfaces. There are probably other considerations too, but I think these are ...
My editcap version is: Editcap 1.10.14
That is a very old version and may not support the options you're using.
From the man page of 4.0.2:
Packet manipulation:
-s <snaplen> truncate each packet to max. <snaplen> bytes of data.
-C [offset:]<choplen> chop each packet by <choplen> bytes. Positive values
chop at the packet beginning, negative values at the
packet end. If an optional offset precedes the length,
then the bytes chopped will be offset from that value.
Positive offsets are from the packet beginning,
negative offsets are from the packet end. You can use
this option more than once, allowing up to 2 chopping
regions within a packet provided that at least 1
choplen is positive and at least 1 is negative.
-L adjust the frame (i.e. reported) length when chopping
and/or snapping.
So you need to supply either an -s <snaplen> or -C [offset:]<choplen> along with the -L (note upper-case L), e.g. (untested)
editcap -w 0.001 -C 14 -L pcap_file pcap_file_updated
You don't necessarily need the -L option. If it's not available in your version of Wireshark, then you can continue without it. It just means that the "bytes on wire" and " bytes captured" won't match.
On the other hand, you will almost certainly still need the -T rawip option though (see my answer). And to ensure that only Ethernet frames with IPv4 Ethertypes are present in the capture file, you should pre-filter the pcap_file removing any non-IP frames like ARP, etc.
Asked: 2023-01-17 10:43:55 +0000
Seen: 1,072 times
Last updated: Jan 20 '23
Have you run
editcap -hto see what options your version supports?What is the reason why you need to strip the 14 bytes (as @cmaynard assumes this is probably the Ethernet header)? I'd guess that you have duplicates starting from the IP/IP6 layer (routed duplicates), but if that's the case you should be able to filter on MAC addresses and remove those you don't want. But I'm probably going into the wrong direction here :)