editcap - Edit and/or translate the format of capture files
-=head1 SYNOPSYS
+=head1 SYNOPSIS
B<editcap>
S<[ B<-c> E<lt>packets per fileE<gt> ]>
S<[ B<-r> ]>
S<[ B<-s> E<lt>snaplenE<gt> ]>
S<[ B<-t> E<lt>time adjustmentE<gt> ]>
+S<[ B<-S> E<lt>strict time adjustmentE<gt> ]>
S<[ B<-T> E<lt>encapsulation typeE<gt> ]>
S<[ B<-v> ]>
I<infile>
can be useful in scripts to identify duplicate packets across trace
files.
-The <dup window> is specifed as an integer value between 0 and 1000000 (inclusive).
+The <dup window> is specified as an integer value between 0 and 1000000 (inclusive).
NOTE: Specifying large <dup window> values with large tracefiles can
result in very long processing times for B<editcap>.
the packet to skipped. The duplicate comparison test stops when
the current packet's relative arrival time is greater than <dup time window>.
-The <dup time window> is specifed as I<seconds>[I<.fractional seconds>].
+The <dup time window> is specified as I<seconds>[I<.fractional seconds>].
The [.fractional seconds] component can be specified to nine (9) decimal
places (billionths of a second) but most typical trace files have resolution
=item -E E<lt>error probabilityE<gt>
-Sets the probabilty that bytes in the output file are randomly changed.
+Sets the probability that bytes in the output file are randomly changed.
B<Editcap> uses that probability (between 0.0 and 1.0 inclusive)
to apply errors to each data byte in the file. For instance, a
probability of 0.02 means that each byte has a 2% chance of having an error.
=item -B E<lt>stop timeE<gt>
-Saves only the packets whose timestamp is on or before stop time.
+Saves only the packets whose timestamp is before stop time.
The time is given in the following format YYYY-MM-DD HH:MM:SS
=item -h
collected on different machines where the time difference between the
two machines is known or can be estimated.
+=item -S E<lt>strict time adjustmentE<gt>
+
+Time adjust selected packets to insure strict chronological order.
+
+The <strict time adjustment> value represents relative seconds
+specified as [-]I<seconds>[I<.fractional seconds>].
+
+As the capture file is processed each packet's absolute time is
+I<possibly> adjusted to be equal to or greater than the previous
+packet's absolute timestamp depending on the <strict time
+adjustment> value.
+
+If <strict time adjustment> value is 0 or greater (e.g. 0.000001)
+then B<only> packets with a timestamp less than the previous packet
+will adjusted. The adjusted timestamp value will be set to be
+equal to the timestamp value of the previous packet plus the value
+of the <strict time adjustment> value. A <strict time adjustment>
+value of 0 will adjust the minimum number of timestamp values
+necessary to insure that the resulting capture file is in
+strict chronological order.
+
+If <strict time adjustment> value is specified as a
+negative value, then the timestamp values of B<all>
+packets will be adjusted to be equal to the timestamp value
+of the previous packet plus the absolute value of the
+<lt>strict time adjustment<gt> value. A <strict time
+adjustment> value of -0 will result in all packets
+having the timestamp value of the first packet.
+
+This feature is useful when the trace file has an occasional
+packet with a negative delta time relative to the previous
+packet.
+
=item -T E<lt>encapsulation typeE<gt>
Sets the packet encapsulation type of the output capture file.
editcap -v -D 0 capture.pcap NUL
+To advance the timestamps of each packet forward by 3.0827 seconds:
+
+ editcap -t 3.0827 capture.pcap adjusted.pcap
+
+To insure all timestamps are in strict chronological order:
+
+ editcap -S 0 capture.pcap adjusted.pcap
+
To introduce 5% random errors in a capture file use:
=over 4
git.samba.org / metze / wireshark / wip.git / blobdiff