If you are a test some network intrusion detection system or network administrator access control policy, you often need to fetch data packets and analyze these files offline. When you need to save the captured packets, we will generally stored as libpcap packet format pcap, which is a format used by many open source sniffer tools, and packet capture program widely used. If pcap file is used for off-line analysis or penetration testing, then injected into the network before they are usually first on pcap file some operations.
In this article, I will describe some of the operations pcap file tools and how to use them.
Editcap and Mergecap
Wireshark, it is the most popular GUI sniffer tool, in fact, it took a very useful command-line tools. Including editcap and mergecap. editcap pcap is a versatile editor, which can be filtered in various ways and can be split pcap file. mergecap can combine multiple files into a pcap. This article is based on these Wireshark command-line tool.
If you have already installed Wireshark, then these tools are already in your system a. If you have not installed, then we are going to install the Wireshark command-line tool. It notes that, based on the release of Debian, we can not install Wireshark GUI and installs only the command-line tools, but it is based on Red Hat and releases Wireshark you need to install the entire package.
Debian, Ubuntu or Linux Mint
$ Sudo apt-get install wireshark-common
Fedora, CentOS or RHEL
$ Sudo yum install wireshark
When the installation is a good tool, you can start using the editca and mergecap.
pcap file filter
By editcap, we can be a lot of different rules to filter pcap file content, and to filter the results saved to a new file.
First, the "start-stop time" filter pcap file. "- A < start-time> and" - B < end-time> option can be filtered out at this time arriving packets (eg, from 2:30 - 2:35). The time format is "YYYY-MM-DD HH: MM: SS".
$ Editcap -A '2014-12-10 10: 11: 01'-B' 2014-12-10 10:21:01 'input.pcap output.pcap
You can also extract specified N packets from a file. The following command line to extract 100 package from input.pcap file (from 401-500) and save them to output.pcap in:
$ Editcap input.pcap output.pcap 401-500
Using the "-D < dup-window>" (dup-window can be seen as window size contrast, only the package within this range comparison) option can be extracted duplicate packets. Each package with its turn before < dup-window> -1 packet length and MD5 comparison value, if there is a match are discarded.
$ Editcap -D 10 input.pcap output.pcap
Traversing the 37568 packages in the window 10 is only one duplicate packets, and discarded.
Also can be defined as the time interval. Use "-w " option, compared to within reach package.
$ Editcap -w 0.5 input.pcap output.pcap
Searched 50,000 package to 0.5s as a duplicate window is not found, repeat the pack.
Split pcap file
When you need to split a big pcap file into multiple small files, editcap can also play a significant role.
Split a pcap file into the same number of packets of multiple files
$ Editcap -c < packets-per-file> < input-pcap-file> < output-prefix>
Each output file has the same number of packets to < output-prefix> -NNNN form name.
In the interval split pcap file
$ Editcap -i < seconds-per-file> < input-pcap-file> < output-prefix>
Merge pcap file
If you want to merge multiple files into one, with mergecap very convenient.
When merging multiple files, mergecap default packet to the internal time has come to order.
$ Mergecap -w output.pcap input.pcap input2.pcap [input3.pcap ...]
If you want to ignore the timestamp, just want the command line in order to merge the file, use the -a option.
For example, the following command will input.pcap content file written to output.pcap, and additional content input2.pcap later.
$ Mergecap -a -w output.pcap input.pcap input2.pcap
to sum up
In this guide, I showed an example of a plurality of editcap, mergecap operation pcap file. In addition, there are other tools, such as reordercap for packet reordering, text2pcap for pcap files into text format, pcap-diff to compare similarities and differences pcap files, and so on. When network intrusion testing, and solve network problems, these tools and packet injection tool is very practical, so it is best to understand them.
Are you used pcap tool? If used, you use what it has done to it?