Using editcap to prune a packet capture

This is just a quick one. I recently needed to filter out a couple packet captures of unneeded frames/packets for some training material. I had unfortunately captured a crap ton of data though and really didn’t want to post the whole 20M pcap file. I ran across the wireshark function called “editcap”. There is a lot that you can do with editcap as you can see in the following link:

Editing trace files with Editcap

However all I needed to do was remove the frames before and after the area of interest. To do this on a macbook:

editcap -r {source file} {destination file} {packets/frames you want to keep} 

e.g.

editcap -r wirelesseapol.pcap wirelesseapolfiltered.pcap 790-900

Screen Shot 2017-07-08 at 12.26.22 PM

This will take the wirelesseapol.pcap, remove frames 1-789 and 901 – end, leaving me 790-900 in a new packet captures called wirelesseapolfiltered.pcap.

You can also do this in wireshark using the export specified packets feature. However CLI can be fun.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s