Ask Your Question
0

Editcap ignore first 14 bytes of a packet

asked 2023-01-17 10:43:55 +0000

merveyil gravatar image

updated 2023-01-17 19:13:44 +0000

cmaynard gravatar image

I am trying to remove duplicate and ignore first 14 bytes of my pcap files. I am using below command:

editcap -w 0.001 -I 14 pcap_file pcap_file_updated

But i am getting below error: editcap: invalid option -- 'I'

When i check the manual page of editcap i can see the "I" option.

My editcap version is: Editcap 1.10.14

How can i ignore first 14 bytes of pcap file??

edit retag flag offensive close merge delete

Comments

Have you run editcap -h to see what options your version supports?

Chuckc gravatar imageChuckc ( 2023-01-17 15:46:36 +0000 )edit

What is the reason why you need to strip the 14 bytes (as @cmaynard assumes this is probably the Ethernet header)? I'd guess that you have duplicates starting from the IP/IP6 layer (routed duplicates), but if that's the case you should be able to filter on MAC addresses and remove those you don't want. But I'm probably going into the wrong direction here :)

Jasper gravatar imageJasper ( 2023-01-20 14:41:29 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2023-01-17 19:13:19 +0000

cmaynard gravatar image

updated 2023-01-20 16:13:17 +0000

Presumably you're trying to remove the 14 Ethernet framing bytes from the start of each packet? Well, if that's the case, then as @grahamb mentioned, you you can achieve that using the older version of editcap, but you won't be able to adjust the frame lengths because the version you're using doesn't support the -L option. So, if possible, you should upgrade Wireshark (and thus editcap) to a version that supports the -L option. If you're able to do that, then the syntax you'd probably want, assuming all Ethertypes are IPv4, would be:

editcap -w 0.001 -C 14 -L -T rawip pcap_file pcap_file_updated

NOTE: The -T rawip part is necessary; otherwise the encapsulation would still be Ethernet, but since the Ethernet framing bytes have been stripped away, the resulting output capture file would not be interpreted properly.

If it's not possible for you to upgrade your version of Wireshark, then you will have to resort to other solutions, some more painful than others, such as:

  • Use tcprewrite. For example (untested):

    tcprewrite --strip=14 -i pcap_file -o pcap_file_updated_temp

NOTE: While tcprewrite does support a --dlt=[string] option, it doesn't appear that it supports --dlt=rawip, so you'll likely need to set the encapsulation in a separate step using editcap, for example:

editcap -T rawip pcap_file_updated_temp pcap_file_updated

  • A more painful solution: File -> Export Packet Dissections -> As Plain Text... -> Packet Format: Packet Bytes (only), File name: pcap_file.txt

    This will produce a text file with the bytes of each packet displayed in a format similar to the example shown in the text2pcap man page. For example:

    000000 00 0e b6 00 00 02 00 0e b6 00 00 01 08 00 45 00
    000010 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00
    000020 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20
    000030 57 6f 72 6c 64 21

You will then need to write a script to remove the first 14 bytes of each packet and adjust all the offsets accordingly. Using the example above, you'd need to end up with something like this:

    000000 45 00
    000002 00 28 00 00 00 00 ff 01 37 d1 c0 00 02 01 c0 00
    000012 02 02 08 00 a6 2f 00 01 00 01 48 65 6c 6c 6f 20
    000022 57 6f 72 6c 64 21

Once you have the packets in this format, you can use text2pcap to convert the data back into a pcap file, like so:

text2pcap -l 101 pcap_file.txt pcap_file_updated

NOTE: The -l 101 part is needed for the same reason as -T rawip was needed for the editcapcommand above. For reference, link types are defined at https://www.tcpdump.org/linktypes.html.


Other possibilities?

  • Write to the author of TraceWrangler asking for an enhancement to be made to this tool that allows the ...

(more)
edit flag offensive delete link more

Comments

Good idea, I could put something like a generic "cut n bytes from the beginning and set encapsulation to a value" in Tracewrangler. As soon as I find the time :)

Jasper gravatar imageJasper ( 2023-01-20 14:51:46 +0000 )edit

I don't think that will work very well in practice for pcapng files because you can have multiple IDBs. Ideally, one could ask TraceWrangler to remove the Ethernet framing bytes from all packets and TraceWrangler would be smart enough to find all IDBs where the Link Type is LINKTYPE_ETHERNET (1) and then only remove the 14 bytes of Ethernet framing from those Packet Blocks whose Interface ID matched one of those relevant IDBs, but leave all other Packet Blocks alone. Then TraceWrangler should replace those IDBs with new ones for the user-specified Link Type, like LINKTYPE_RAW (101) in this case. If there is more than one IDB with LINKTYPE_ETHERNET, then there should probably be separate LINKTYPE_RAW IDBs for each one rather than consolidating them, so it's still possible to know that packets were captured on different interfaces. There are probably other considerations too, but I think these are ...(more)

cmaynard gravatar imagecmaynard ( 2023-01-20 16:45:19 +0000 )edit
0

answered 2023-01-17 11:35:03 +0000

grahamb gravatar image

My editcap version is: Editcap 1.10.14

That is a very old version and may not support the options you're using.

From the man page of 4.0.2:

Packet manipulation:
  -s <snaplen>           truncate each packet to max. <snaplen> bytes of data.
  -C [offset:]<choplen>  chop each packet by <choplen> bytes. Positive values
                         chop at the packet beginning, negative values at the
                         packet end. If an optional offset precedes the length,
                         then the bytes chopped will be offset from that value.
                         Positive offsets are from the packet beginning,
                         negative offsets are from the packet end. You can use
                         this option more than once, allowing up to 2 chopping
                         regions within a packet provided that at least 1
                         choplen is positive and at least 1 is negative.
  -L                     adjust the frame (i.e. reported) length when chopping
                         and/or snapping.

So you need to supply either an -s <snaplen> or -C [offset:]<choplen> along with the -L (note upper-case L), e.g. (untested)

editcap -w 0.001 -C 14 -L pcap_file pcap_file_updated
edit flag offensive delete link more

Comments

Thank you so much i will try.

merveyil gravatar imagemerveyil ( 2023-01-17 11:56:56 +0000 )edit

I tried and got same error: editcap: invalid option -- 'L'

If it is okay to use like:

editcap -w 0.001 -s 14 pcap_file pcap_file_updated

merveyil gravatar imagemerveyil ( 2023-01-17 12:22:47 +0000 )edit

That will truncate the capture at the end. I thought you wanted to remove the first 14 bytes, i.e. using the -C option?

grahamb gravatar imagegrahamb ( 2023-01-17 14:24:08 +0000 )edit

You don't necessarily need the -L option. If it's not available in your version of Wireshark, then you can continue without it. It just means that the "bytes on wire" and " bytes captured" won't match.

On the other hand, you will almost certainly still need the -T rawip option though (see my answer). And to ensure that only Ethernet frames with IPv4 Ethertypes are present in the capture file, you should pre-filter the pcap_file removing any non-IP frames like ARP, etc.

cmaynard gravatar imagecmaynard ( 2023-01-17 19:53:25 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-01-17 10:43:55 +0000

Seen: 1,074 times

Last updated: Jan 20 '23