Ethereal Packet Sniffing (Syngress)

Editcap is a program used to remove or select packets from a file and to translate the format of captured files. It doesn’t capture live traffic; it only reads data from a saved capture file and then saves some or all of the packets to a new capture file. Editcap can read all of the same types of files that Ethereal can, and by default writes to libpcap format. Editcap can also write captures to standard and modified versions of libpcap, Sun snoop, Novell LANalyzer, Networks Associate’s Sniffer, Microsoft Network Monitor, Visual Network traffic capture, Accellent 5Views capture, and Network Instruments Observer version 9 captures. Editcap can determine the file type that it is reading, and is also capable of reading files that are compressed with gzip.

By default editcap writes all of the packets in the capture file to the output file. If you specify a list of packet numbers on the command line, those packets will not be written to the output capture file. If the –r option is specified, it will reverse the default configuration and write only the specified packets to the output capture file. You can also specify a range of packets to include or exclude in the output capture file.

The following information is the usage output for the editcap program:

C:\Program Files\Ethereal>editcap -h Usage: editcap [-r] [-h] [-v] [-T <encap type>] [-F <capture type>] [-s <snaplen>] [-t <time adjustment <infile> <outfile> [ <record#>[-<record#>] ... ] where -r specifies that the records specified should be kept, not deleted, default is to delete -v specifies verbose operation, default is silent -h produces this help listing. -T <encap type> specifies the encapsulation type to use: ether - Ethernet tr - Token Ring slip - SLIP ppp - PPP fddi - FDDI fddi-swapped - FDDI with bit-swapped MAC addresses rawip - Raw IP arcnet - ARCNET arcnet_linux - Linux ARCNET atm-rfc1483 - RFC 1483 ATM linux-atm-clip - Linux ATM CLIP lapb - LAPB atm-pdus - ATM PDUs atm-pdus-untruncated - ATM PDUs - untruncated null - NULL ascend - Lucent/Ascend access equipment isdn - ISDN ip-over-fc - RFC 2625 IP-over-Fibre Channel ppp-with-direction - PPP with Directional Info ieee-802-11 - IEEE 802.11 Wireless LAN ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information linux-sll - Linux cooked-mode capture frelay - Frame Relay frelay-with-direction - Frame Relay with Directional Info chdlc - Cisco HDLC ios - Cisco IOS internal ltalk - Localtalk prism - IEEE 802.11 plus Prism II monitor mode header pflog-old - OpenBSD PF Firewall logs, pre-3.4 hhdlc - HiPath HDLC docsis - Data Over Cable Service Interface Specification cosine - CoSine L2 debug log wlan - IEEE 802.11 plus AVS WLAN monitor header whdlc - Wellfleet HDLC sdlc - SDLC tzsp - Tazmen sniffer protocol enc - OpenBSD enc(4) encapsulating interface pflog - OpenBSD PF Firewall logs chdlc-with-direction - Cisco HDLC with Directional Info bluetooth-h4 - Bluetooth H4 mtp2 - SS7 MTP2 mtp3 - SS7 MTP3 default is the same as the input file -F <capture type> specifies the capture file type to write: libpcap - libpcap (tcpdump, Ethereal, etc.) rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump) suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump) modlibpcap - modified libpcap (tcpdump) nokialibpcap - Nokia libpcap (tcpdump) lanalyzer - Novell LANalyzer ngsniffer - Network Associates Sniffer (DOS-based) snoop - Sun snoop netmon1 - Microsoft Network Monitor 1.x netmon2 - Microsoft Network Monitor 2.x ngwsniffer_1_1 - Network Associates Sniffer (Windows-based) 1.1 ngwsniffer_2_0 - Network Associates Sniffer (Windows-based) 2.00x visual - Visual Networks traffic capture 5views - Accellent 5Views capture niobserverv9 - Network Instruments Observer version 9 default is libpcap -s <snaplen> specifies that packets should be truncated to <snaplen> bytes of data -t <time adjustment> specifies the time adjustment to be applied to selected packets A range of records can be specified as well

The following command line options are used to control Editcap’s data translation and output:

• –F type This option is used to set the format of the output capture file. For example, if you want to save a file in the Sun snoop format so that snoop can read the capture file, you would use the –F snoop option.

• –h This option prints the help options of editcap, then exits.

• –r This option will cause the packets whose numbers are specified on the command line to be written to the output capture file. This is opposite of the default action, which is to remove the packets that are specified on the command line. Packets can only be specified as a consecutive range in the start-end format, or individually; they cannot be comma delimited.

• –s snaplen This option will set the snapshot length to use when writing the data to the output capture file. Packets that are larger than the snaplen will be truncated. This option is helpful if you only want to save the packet headers, or if the program you will be importing the capture file into can only read packets of a certain size.

• –t [-]seconds[.fractional seconds] This option will allow you to specify a time adjustment to apply to selected frames in the output capture file. The time adjustment is specified in seconds and fractions of seconds. An option of –t 3600 will advance the timestamp on the selected frames by one hour, while the option of –t –3600 will reduce the timestamp on the selected frames by one hour. This option is useful when you need to synchronize packet traces with other logs from different devices.

• –T type This option sets the packet encapsulation type of the output capture file. The default type is the same encapsulation type as the input file. This option forces the encapsulation type of the output capture file to be a specified type, however the packet headers will remain the same encapsulation type as the input capture file. This is because the encapsulation type is stored as meta-data, outside of the packet data. The encapsulation type is a single variable that is changed, thus allowing the packet data and headers of the original packet to remain unchanged.

• –v This option will cause editcap to print various messages to the screen while it is processing files.

The following is an example of using editcap to translate the first five packets, plus packets 10, 15, and 17 from a tethereal libpcap capture file called capture to a Sun snoop output file called capture_snoop:

C:\Program Files\Ethereal>editcap -r -v -F snoop capture capture_snoop 1-5 10 15 17 File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Add_Selected: 1-5 Inclusive ... 1, 5 Add_Selected: 10 Not inclusive ... 10 Add_Selected: 15 Not inclusive ... 15 Add_Selected: 17 Not inclusive ... 17 Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 10 Record: 15 Record: 17

The next example uses editcap to translate all packets, except packets 5 through 120, from a libpcap capture file called capture to a libpcap output file called capture_out:

C:\Program Files\Ethereal>editcap -v capture capture_out 5-120 File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Add_Selected: 5-120 Inclusive ... 5, 120 Record: 1 Record: 2 Record: 3 Record: 4 Record: 121 Record: 122

The next example uses editcap to adjust the timestamp forward by five and a half seconds on all packets. It uses an NAI Sniffer Pro capture file called capture.dump as input and saves the output to a Novell LANalyzer file called capture_out:

C:\Program Files\Ethereal>editcap -v -F lanalyzer -t 5.5 capture.dump capture_out File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed

The next example uses editcap to save the first 35 bytes of the input capture file called capture to the output capture file called capture_out. This will include the full Ethernet and IP headers in the output file:

C:\Program Files\Ethereal>editcap -v -s 35 capture capture_out File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed

The next example uses editcap to translate input capture file called capture to the output capture file called capture_out with an encapsulation type of IEEE 802.11 Wireless LAN:

C:\Program Files\Ethereal>editcap -v -T ieee-802-11 capture capture_out File capture is a libpcap (tcpdump, Ethereal, etc.) capture file. Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed