.\" Automatically generated by Pod::Man 4.14 (Pod::Simple 3.40)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear.  Run.  Save yourself.  No user-serviceable parts.
.    \" fudge factors for nroff and troff
.if n \{\
.    ds #H 0
.    ds #V .8m
.    ds #F .3m
.    ds #[ \f1
.    ds #] \fP
.\}
.if t \{\
.    ds #H ((1u-(\\\\n(.fu%2u))*.13m)
.    ds #V .6m
.    ds #F 0
.    ds #[ \&
.    ds #] \&
.\}
.    \" simple accents for nroff and troff
.if n \{\
.    ds ' \&
.    ds ` \&
.    ds ^ \&
.    ds , \&
.    ds ~ ~
.    ds /
.\}
.if t \{\
.    ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
.    ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
.    ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
.    ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
.    ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
.    ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
.\}
.    \" troff and (daisy-wheel) nroff accents
.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
.ds ae a\h'-(\w'a'u*4/10)'e
.ds Ae A\h'-(\w'A'u*4/10)'E
.    \" corrections for vroff
.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
.    \" for low resolution devices (crt and lpr)
.if \n(.H>23 .if \n(.V>19 \
\{\
.    ds : e
.    ds 8 ss
.    ds o a
.    ds d- d\h'-1'\(ga
.    ds D- D\h'-1'\(hy
.    ds th \o'bp'
.    ds Th \o'LP'
.    ds ae ae
.    ds Ae AE
.\}
.rm #[ #] #H #V #F C
.\" ========================================================================
.\"
.IX Title "EDITCAP 1"
.TH EDITCAP 1 "2021-12-09" "3.4.10" "The Wireshark Network Analyzer"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
editcap \- Edit and/or translate the format of capture files
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBeditcap\fR
[\ \fB\-a\fR\ <frame:comment>\ ]
[\ \fB\-A\fR\ <start\ time>\ ]
[\ \fB\-B\fR\ <stop\ time>\ ]
[\ \fB\-c\fR\ <packets\ per\ file>\ ]
[\ \fB\-C\fR\ [offset:]<choplen>\ ]
[\ \fB\-E\fR\ <error\ probability>\ ]
[\ \fB\-F\fR\ <file\ format>\ ]
[\ \fB\-h\fR\ ]
[\ \fB\-i\fR\ <seconds\ per\ file>\ ]
[\ \fB\-o\fR\ <change\ offset>\ ]
[\ \fB\-L\fR\ ]
[\ \fB\-r\fR\ ]
[\ \fB\-s\fR\ <snaplen>\ ]
[\ \fB\-S\fR\ <strict\ time\ adjustment>\ ]
[\ \fB\-t\fR\ <time\ adjustment>\ ]
[\ \fB\-T\fR\ <encapsulation\ type>\ ]
[\ \fB\-v\fR\ ]
[\ \fB\-\-inject\-secrets\fR\ <secrets\ type>,<file>\ ]
[\ \fB\-\-discard\-all\-secrets\fR\ ]
[\ \fB\-\-capture\-comment\fR\ <comment>\ ]
[\ \fB\-\-discard\-capture\-comment\fR\ ]
\&\fIinfile\fR
\&\fIoutfile\fR
[\ \fIpacket#\fR[\-\fIpacket#\fR]\ ...\ ]
.PP
\&\fBeditcap\fR
\&\ \fB\-d\fR\  |
\&\ \fB\-D\fR\ <dup\ window>\  |
\&\ \fB\-w\fR\ <dup\ time\ window>\ 
[\ \fB\-v\fR\ ]
[\ \fB\-I\fR\ <bytes\ to\ ignore>\ ]
[\ \fB\-\-skip\-radiotap\-header\fR\ ]
\&\fIinfile\fR
\&\fIoutfile\fR
.PP
\&\fBeditcap\fR
[\ \fB\-V\fR\ ]
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBEditcap\fR is a program that reads some or all of the captured packets from the
\&\fIinfile\fR, optionally converts them in various ways and writes the
resulting packets to the capture \fIoutfile\fR (or outfiles).
.PP
By default, it reads all packets from the \fIinfile\fR and writes them to the
\&\fIoutfile\fR in pcapng file format.
.PP
An optional list of packet numbers can be specified on the command tail;
individual packet numbers separated by whitespace and/or ranges of packet
numbers can be specified as \fIstart\fR\-\fIend\fR, referring to all packets from
\&\fIstart\fR to \fIend\fR.  By default the selected packets with those numbers will
\&\fInot\fR be written to the capture file.  If the \fB\-r\fR flag is specified, the
whole packet selection is reversed; in that case \fIonly\fR the selected packets
will be written to the capture file.
.PP
\&\fBEditcap\fR can also be used to remove duplicate packets.  Several different
options (\fB\-d\fR, \fB\-D\fR and \fB\-w\fR) are used to control the packet window
or relative time window to be used for duplicate comparison.
.PP
\&\fBEditcap\fR can be used to assign comment strings to frame numbers.
.PP
\&\fBEditcap\fR is able to detect, read and write the same capture files that
are supported by \fBWireshark\fR.
The input file doesn't need a specific filename extension; the file
format and an optional gzip compression will be automatically detected.
Near the beginning of the \s-1DESCRIPTION\s0 section of \fBwireshark\fR\|(1) or
<https://www.wireshark.org/docs/man\-pages/wireshark.html>
is a detailed description of the way \fBWireshark\fR handles this, which is
the same way \fBEditcap\fR handles this.
.PP
\&\fBEditcap\fR can write the file in several output formats. The \fB\-F\fR
flag can be used to specify the format in which to write the capture
file; \fBeditcap \-F\fR provides a list of the available output formats.
.SH "OPTIONS"
.IX Header "OPTIONS"
.IP "\-a  <framenum:comment>" 4
.IX Item "-a <framenum:comment>"
For the specifiqed frame number, assign the given comment string.
Can be repeated for multiple frames.  Quotes should be used with comment
strings that include spaces.
.IP "\-A  <start time>" 4
.IX Item "-A <start time>"
Saves only the packets whose timestamp is on or after start time.
The time is given in the following format YYYY-MM-DD HH:MM:SS[.nnnnnnnnn]
(the decimal and fractional seconds are optional).
.IP "\-B  <stop time>" 4
.IX Item "-B <stop time>"
Saves only the packets whose timestamp is before stop time.
The time is given in the following format YYYY-MM-DD HH:MM:SS[.nnnnnnnnn]
(the decimal and fractional seconds are optional).
.IP "\-c  <packets per file>" 4
.IX Item "-c <packets per file>"
Splits the packet output to different files based on uniform packet counts
with a maximum of <packets per file> each.
.Sp
Each output file will be created with an infix _nnnnn[_YYYYmmddHHMMSS] inserted
before the file extension (which may be null) of \fIoutfile\fR.  The infix
consists of the ordinal number of the output file, starting with 00000,
followed by the timestamp of its first packet.  The timestamp is omitted if
the input file does not contain timestamp information.
.Sp
After the specified number of packets is written to the output file, the next
output file is opened.  The default is to use a single output file.
This option conflicts with \fB\-i\fR.
.IP "\-C  [offset:]<choplen>" 4
.IX Item "-C [offset:]<choplen>"
Sets the chop length to use when writing the packet data. Each packet is
chopped by <choplen> bytes of data. Positive values chop at the packet
beginning while negative values chop at the packet end.
.Sp
If an optional offset precedes the <choplen>, then the bytes chopped will be
offset from that value. Positive offsets are from the packet beginning, while
negative offsets are from the packet end.
.Sp
This is useful for chopping headers for decapsulation of an entire capture,
removing tunneling headers, or in the rare case that the conversion between two
file formats leaves some random bytes at the end of each packet. Another use is
for removing vlan tags.
.Sp
\&\s-1NOTE:\s0 This option can be used more than once, effectively allowing you to chop
bytes from up to two different areas of a packet in a single pass provided that
you specify at least one chop length as a positive value and at least one as a
negative value.  All positive chop lengths are added together as are all
negative chop lengths.
.IP "\-d" 4
.IX Item "-d"
Attempts to remove duplicate packets.  The length and \s-1MD5\s0 hash of the
current packet are compared to the previous four (4) packets.  If a
match is found, the current packet is skipped.  This option is equivalent
to using the option \fB\-D 5\fR.
.IP "\-D  <dup window>" 4
.IX Item "-D <dup window>"
Attempts to remove duplicate packets.  The length and \s-1MD5\s0 hash of the
current packet are compared to the previous <dup window> \- 1 packets.
If a match is found, the current packet is skipped.
.Sp
The use of the option \fB\-D 0\fR combined with the \fB\-v\fR option is useful
in that each packet's Packet number, Len and \s-1MD5\s0 Hash will be printed
to standard out.  This verbose output (specifically the \s-1MD5\s0 hash strings)
can be useful in scripts to identify duplicate packets across trace
files.
.Sp
The <dup window> is specified as an integer value between 0 and 1000000 (inclusive).
.Sp
\&\s-1NOTE:\s0 Specifying large <dup window> values with large tracefiles can
result in very long processing times for \fBeditcap\fR.
.IP "\-E  <error probability>" 4
.IX Item "-E <error probability>"
Sets the probability that bytes in the output file are randomly changed.
\&\fBEditcap\fR uses that probability (between 0.0 and 1.0 inclusive)
to apply errors to each data byte in the file.  For instance, a
probability of 0.02 means that each byte has a 2% chance of having an error.
.Sp
This option is meant to be used for fuzz-testing protocol dissectors.
.IP "\-F  <file format>" 4
.IX Item "-F <file format>"
Sets the file format of the output capture file.
\&\fBEditcap\fR can write the file in several formats, \fBeditcap \-F\fR
provides a list of the available output formats. The default
is the \fBpcapng\fR format.
.IP "\-h" 4
.IX Item "-h"
Prints the version and options and exits.
.IP "\-i  <seconds per file>" 4
.IX Item "-i <seconds per file>"
Splits the packet output to different files based on uniform time
intervals using a maximum interval of <seconds per file> each.  Floating
point values (e.g. 0.5) are allowed.
.Sp
Each output file will be created with an infix _nnnnn[_YYYYmmddHHMMSS] inserted
before the file extension (which may be null) of \fIoutfile\fR.  The infix
consists of the ordinal number of the output file, starting with 00000,
followed by the timestamp of its first packet.  The timestamp is omitted if
the input file does not contain timestamp information.
.Sp
After packets for the specified time interval are written to the output file,
the next output file is opened.  The default is to use a single output file.
This option conflicts with \fB\-c\fR.
.IP "\-I  <bytes to ignore>" 4
.IX Item "-I <bytes to ignore>"
Ignore the specified number of bytes at the beginning of the frame during \s-1MD5\s0 hash calculation,
unless the frame is too short, then the full frame is used.
Useful to remove duplicated packets taken on several routers (different mac addresses for example)
e.g. \-I 26 in case of Ether/IP will ignore ether(14) and \s-1IP\s0 header(20 \- 4(src ip) \- 4(dst ip)).
The default value is 0.
.IP "\-L" 4
.IX Item "-L"
Adjust the original frame length accordingly when chopping and/or snapping
(in addition to the captured length, which is always adjusted regardless of
whether \fB\-L\fR is specified or not).  See also \fB\-C <choplen\fR> and \fB\-s <snaplen\fR>.
.IP "\-o  <change offset>" 4
.IX Item "-o <change offset>"
When used in conjunction with \-E, skip some bytes from the beginning of the packet
from being changed. In this way some headers don't get changed, and the fuzzer is
more focused on a smaller part of the packet. Keeping a part of the packet fixed
the same dissector is triggered, that make the fuzzing more precise.
.IP "\-r" 4
.IX Item "-r"
Reverse the packet selection.
Causes the packets whose packet numbers are specified on the command
line to be written to the output capture file, instead of discarding them.
.IP "\-s  <snaplen>" 4
.IX Item "-s <snaplen>"
Sets the snapshot length to use when writing the data.
If the \fB\-s\fR flag is used to specify a snapshot length, packets in the
input file with more captured data than the specified snapshot length
will have only the amount of data specified by the snapshot length
written to the output file.
.Sp
This may be useful if the program that is
to read the output file cannot handle packets larger than a certain size
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
appear to reject Ethernet packets larger than the standard Ethernet \s-1MTU,\s0
making them incapable of handling gigabit Ethernet captures if jumbo
packets were used).
.IP "\-\-seed  <seed>" 4
.IX Item "--seed <seed>"
When used in conjunction with \-E, set the seed for the pseudo-random number generator.
This is useful for recreating a particular sequence of errors.
.IP "\-\-skip\-radiotap\-header" 4
.IX Item "--skip-radiotap-header"
Skip the radiotap header of each frame when checking for packet duplicates. This is useful
when processing a capture created by combining outputs of multiple capture devices on the same
channel in the vicinity of each other.
.IP "\-S  <strict time adjustment>" 4
.IX Item "-S <strict time adjustment>"
Time adjust selected packets to ensure strict chronological order.
.Sp
The <strict time adjustment> value represents relative seconds
specified as [\-]\fIseconds\fR[\fI.fractional seconds\fR].
.Sp
As the capture file is processed each packet's absolute time is
\&\fIpossibly\fR adjusted to be equal to or greater than the previous
packet's absolute timestamp depending on the <strict time
adjustment> value.
.Sp
If <strict time adjustment> value is 0 or greater (e.g. 0.000001)
then \fBonly\fR packets with a timestamp less than the previous packet
will adjusted.  The adjusted timestamp value will be set to be
equal to the timestamp value of the previous packet plus the value
of the <strict time adjustment> value.  A <strict time adjustment>
value of 0 will adjust the minimum number of timestamp values
necessary to ensure that the resulting capture file is in
strict chronological order.
.Sp
If <strict time adjustment> value is specified as a
negative value, then the timestamp values of \fBall\fR
packets will be adjusted to be equal to the timestamp value
of the previous packet plus the absolute value of the
<lt>strict time adjustment<gt> value. A <strict time
adjustment> value of \-0 will result in all packets
having the timestamp value of the first packet.
.Sp
This feature is useful when the trace file has an occasional
packet with a negative delta time relative to the previous
packet.
.IP "\-t  <time adjustment>" 4
.IX Item "-t <time adjustment>"
Sets the time adjustment to use on selected packets.
If the \fB\-t\fR flag is used to specify a time adjustment, the specified
adjustment will be applied to all selected packets in the capture file.
The adjustment is specified as [\-]\fIseconds\fR[\fI.fractional seconds\fR].
For example, \fB\-t\fR 3600 advances the timestamp on selected packets by one
hour while \fB\-t\fR \-0.5 reduces the timestamp on selected packets by
one-half second.
.Sp
This feature is useful when synchronizing dumps
collected on different machines where the time difference between the
two machines is known or can be estimated.
.IP "\-T  <encapsulation type>" 4
.IX Item "-T <encapsulation type>"
Sets the packet encapsulation type of the output capture file.
If the \fB\-T\fR flag is used to specify an encapsulation type, the
encapsulation type of the output capture file will be forced to the
specified type.
\&\fBeditcap \-T\fR provides a list of the available types. The default
type is the one appropriate to the encapsulation type of the input
capture file.
.Sp
Note: this merely
forces the encapsulation type of the output file to be the specified
type; the packet headers of the packets will not be translated from the
encapsulation type of the input capture file to the specified
encapsulation type (for example, it will not translate an Ethernet
capture to an \s-1FDDI\s0 capture if an Ethernet capture is read and '\fB\-T
fddi\fR' is specified). If you need to remove/add headers from/to a
packet, you will need \fBod\fR\|(1)/\fBtext2pcap\fR\|(1).
.IP "\-v" 4
.IX Item "-v"
Causes \fBeditcap\fR to print verbose messages while it's working.
.Sp
Use of \fB\-v\fR with the de-duplication switches of \fB\-d\fR, \fB\-D\fR or \fB\-w\fR
will cause all \s-1MD5\s0 hashes to be printed whether the packet is skipped
or not.
.IP "\-V" 4
.IX Item "-V"
Print the version and exit.
.IP "\-w  <dup time window>" 4
.IX Item "-w <dup time window>"
Attempts to remove duplicate packets.  The current packet's arrival time
is compared with up to 1000000 previous packets.  If the packet's relative
arrival time is \fIless than or equal to\fR the <dup time window> of a previous packet
and the packet length and \s-1MD5\s0 hash of the current packet are the same then
the packet to skipped.  The duplicate comparison test stops when
the current packet's relative arrival time is greater than <dup time window>.
.Sp
The <dup time window> is specified as \fIseconds\fR[\fI.fractional seconds\fR].
.Sp
The [.fractional seconds] component can be specified to nine (9) decimal
places (billionths of a second) but most typical trace files have resolution
to six (6) decimal places (millionths of a second).
.Sp
\&\s-1NOTE:\s0 Specifying large <dup time window> values with large tracefiles can
result in very long processing times for \fBeditcap\fR.
.Sp
\&\s-1NOTE:\s0 The \fB\-w\fR option assumes that the packets are in chronological order.
If the packets are \s-1NOT\s0 in chronological order then the \fB\-w\fR duplication
removal option may not identify some duplicates.
.IP "\-\-inject\-secrets <secrets type>,<file>" 4
.IX Item "--inject-secrets <secrets type>,<file>"
Inserts the contents of <file> into a Decryption Secrets Block (\s-1DSB\s0)
within the pcapng output file. This enables decryption without requiring
additional configuration in protocol preferences.
.Sp
The file format is described by <secrets type> which can be one of:
.Sp
\&\fItls\fR  \s-1TLS\s0 Key Log as described at <https://developer.mozilla.org/NSS_Key_Log_Format>
\&\fIwg\fR   WireGuard Key Log, see <https://gitlab.com/wireshark/wireshark/\-/wikis/WireGuard#key\-log\-format>
.Sp
This option may be specified multiple times. The available options for
<secrets type> can be listed with \fB\-\-inject\-secrets help\fR.
.IP "\-\-discard\-all\-secrets" 4
.IX Item "--discard-all-secrets"
Discard all decryption secrets from the input file when writing the
output file.  Does not discard secrets added by \fB\-\-inject\-secrets\fR in
the same command line.
.IP "\-\-capture\-comment <comment>" 4
.IX Item "--capture-comment <comment>"
Adds the given comment to the Section Header Block (\s-1SHB\s0) of the pcapng
output file. New comments will be added \fIafter\fR any comments present in the
input file unless \fB\-\-discard\-capture\-comment\fR is also specified.
.Sp
This option may be specified multiple times. Note that Wireshark currently only
recognizes the first comment of a capture file.
.IP "\-\-discard\-capture\-comment" 4
.IX Item "--discard-capture-comment"
Discard all capture file comments from the input file when writing the output
file. Does not discard comments added by \fB\-\-capture\-comment\fR in the same
command line.
.SH "EXAMPLES"
.IX Header "EXAMPLES"
To see more detailed description of the options use:
.PP
.Vb 1
\&    editcap \-h
.Ve
.PP
To shrink the capture file by truncating the packets at 64 bytes and writing it as Sun snoop file use:
.PP
.Vb 1
\&    editcap \-s 64 \-F snoop capture.pcapng shortcapture.snoop
.Ve
.PP
To delete packet 1000 from the capture file use:
.PP
.Vb 1
\&    editcap capture.pcapng sans1000.pcapng 1000
.Ve
.PP
To limit a capture file to packets from number 200 to 750 (inclusive) use:
.PP
.Vb 1
\&    editcap \-r capture.pcapng small.pcapng 200\-750
.Ve
.PP
To get all packets from number 1\-500 (inclusive) use:
.PP
.Vb 1
\&    editcap \-r capture.pcapng first500.pcapng 1\-500
.Ve
.PP
or
.PP
.Vb 1
\&    editcap capture.pcapng first500.pcapng 501\-9999999
.Ve
.PP
To exclude packets 1, 5, 10 to 20 and 30 to 40 from the new file use:
.PP
.Vb 1
\&    editcap capture.pcapng exclude.pcapng 1 5 10\-20 30\-40
.Ve
.PP
To select just packets 1, 5, 10 to 20 and 30 to 40 for the new file use:
.PP
.Vb 1
\&    editcap \-r capture.pcapng select.pcapng 1 5 10\-20 30\-40
.Ve
.PP
To remove duplicate packets seen within the prior four frames use:
.PP
.Vb 1
\&    editcap \-d capture.pcapng dedup.pcapng
.Ve
.PP
To remove duplicate packets seen within the prior four frames while skipping radiotap headers use:
.PP
.Vb 1
\&    editcap \-d \-\-skip\-radiotap\-header capture.pcapng dedup.pcapng
.Ve
.PP
To remove duplicate packets seen within the prior 100 frames use:
.PP
.Vb 1
\&    editcap \-D 101 capture.pcapng dedup.pcapng
.Ve
.PP
To remove duplicate packets seen \fIequal to or less than\fR 1/10th of a second:
.PP
.Vb 1
\&    editcap \-w 0.1 capture.pcapng dedup.pcapng
.Ve
.PP
To display the \s-1MD5\s0 hash for all of the packets (and \s-1NOT\s0 generate any
real output file):
.PP
.Vb 1
\&    editcap \-v \-D 0 capture.pcapng /dev/null
.Ve
.PP
or on Windows systems
.PP
.Vb 1
\&    editcap \-v \-D 0 capture.pcapng NUL
.Ve
.PP
To advance the timestamps of each packet forward by 3.0827 seconds:
.PP
.Vb 1
\&    editcap \-t 3.0827 capture.pcapng adjusted.pcapng
.Ve
.PP
To ensure all timestamps are in strict chronological order:
.PP
.Vb 1
\&    editcap \-S 0 capture.pcapng adjusted.pcapng
.Ve
.PP
To introduce 5% random errors in a capture file use:
.PP
.Vb 1
\&    editcap \-E 0.05 capture.pcapng capture_error.pcapng
.Ve
.PP
To remove vlan tags from all packets within an Ethernet-encapsulated capture
file, use:
.PP
.Vb 1
\&    editcap \-L \-C 12:4 capture_vlan.pcapng capture_no_vlan.pcapng
.Ve
.PP
To chop both the 10 byte and 20 byte regions from the following 75 byte packet
in a single pass, use any of the 8 possible methods provided below:
.PP
.Vb 1
\&    <\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\- 75 \-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\->
\&
\&    +\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\&    | 5 |   10  |     15    |       20      |         25        |
\&    +\-\-\-+\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
\&
\&    1) editcap \-C 5:10 \-C \-25:\-20 capture.pcapng chopped.pcapng
\&    2) editcap \-C 5:10 \-C 50:\-20 capture.pcapng chopped.pcapng
\&    3) editcap \-C \-70:10 \-C \-25:\-20 capture.pcapng chopped.pcapng
\&    4) editcap \-C \-70:10 \-C 50:\-20 capture.pcapng chopped.pcapng
\&    5) editcap \-C 30:20 \-C \-60:\-10 capture.pcapng chopped.pcapng
\&    6) editcap \-C 30:20 \-C 15:\-10 capture.pcapng chopped.pcapng
\&    7) editcap \-C \-45:20 \-C \-60:\-10 capture.pcapng chopped.pcapng
\&    8) editcap \-C \-45:20 \-C 15:\-10 capture.pcapng chopped.pcapng
.Ve
.PP
To add comment strings to the first 2 input frames, use:
.PP
.Vb 1
\&    editcap \-a "1:1st frame" \-a 2:Second capture.pcapng capture\-comments.pcapng
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBpcap\fR\|(3), \fBwireshark\fR\|(1), \fBtshark\fR\|(1), \fBmergecap\fR\|(1), \fBdumpcap\fR\|(1), \fBcapinfos\fR\|(1),
\&\fBtext2pcap\fR\|(1), \fBreordercap\fR\|(1), \fBod\fR\|(1), \fBpcap\-filter\fR\|(7) or \fBtcpdump\fR\|(8)
.SH "NOTES"
.IX Header "NOTES"
\&\fBEditcap\fR is part of the \fBWireshark\fR distribution.  The latest version
of \fBWireshark\fR can be found at <https://www.wireshark.org>.
.PP
\&\s-1HTML\s0 versions of the Wireshark project man pages are available at:
<https://www.wireshark.org/docs/man\-pages>.
.SH "AUTHORS"
.IX Header "AUTHORS"
.Vb 3
\&  Original Author
\&  \-\-\-\-\-\-\-\- \-\-\-\-\-\-
\&  Richard Sharpe           <sharpe[AT]ns.aus.com>
\&
\&
\&  Contributors
\&  \-\-\-\-\-\-\-\-\-\-\-\-
\&  Guy Harris               <guy[AT]alum.mit.edu>
\&  Ulf Lamping              <ulf.lamping[AT]web.de>
.Ve