Editing trace files with Editcap
You can use Editcap to split a trace file that is too large to work with in Wireshark into multiple smaller files, extract a subset of a trace file based on a start and stop time, alter timestamps, remove duplicate packets, and a number of other useful functions.
Type editcap –h in the command prompt for a list of options. The syntax to extract a single packet or a range of packets by packet numbers is as follows:
editcap –r <infile> <outfile> <packet#> [- <packet#>]
You must specify <infile> and <outfile>. The –r specifies to keep, not delete, the specified packet or packet range, for example:
editcap –r MergedTraces.pcapng packetrange.pcapng 1-5000
You can split a source trace file into multiple sequential files, each containing the number of packets specified by the –c option:
editcap –c 5000 MergedTraces.pcapng SplitTrace.pcapng
You can eliminate duplicate packets in a file within a five-packet proximity...
