This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to edit the resulting file dump?

0

How to edit the resulting file dump. Trim the time until the right moment. I need to send it to technical support, but with this program I unfortunately did not work.

asked 23 Dec '12, 06:44

Kallikanzarosa's gravatar image

Kallikanzarosa
1113
accept rate: 0%

edited 27 Dec '12, 07:56

multipleinterfaces's gravatar image

multipleinte...
1.3k152340

One Answer:

2

Have a look at editcap which comes with Wireshark. The -A and -B options can specify a start and stop time respectively for the output packets.

answered 23 Dec '12, 07:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

where insert this command?

(23 Dec '12, 08:13) Kallikanzarosa

it is a command line tool, so you have to run it in a shell. Calling editcap without parameters will give you a help output.

(23 Dec '12, 18:01) Jasper ♦♦

command it's cmd or in wireshark? I beginner and can't find where insert "editcap"

(27 Dec '12, 05:13) Kallikanzarosa
1

cmd, in the same directory where you find the wireshark executable.

(27 Dec '12, 05:28) Kurt Knochner ♦

step by step ?) I can't do it. I must use "START C:\Program Files\Wireshark\editcap.exe" or not?

(27 Dec '12, 05:31) Kallikanzarosa

pls. I need sent it to zyxel support(

(27 Dec '12, 06:06) Kallikanzarosa
1

I must use "START C:\Program Files\Wireshark\editcap.exe" or not?

well, you could have tested that yourself, right? But never mind. Here is a step-by-step guide.

  • step 1: open a DOS box (read the windows help how to do that)
  • step 2: change to the directory where your capture file (input.pcap) is located

cd c:\my_directory_where_the_cap_file_lives

  • step 3: type the following in the DOS box

%programfiles%\wireshark\editcap -A 2012-12-24 08:00 -B 2012-12-24 10:00 input.pcap output.pcap

WARNING: The dates are just sample dates. Please use your own!!!

HINT If you don't know what '-A' and '-B' will do for you, please read the man page of editcap!!

http://www.wireshark.org/docs/man-pages/editcap.html

  • step 4: check the file c:\my_directory_where_the_cap_file_lives\output.cap with wireshark
  • step 5: if everything is O.K., open your mail client and attach the file c:\my_directory_where_the_cap_file_lives\output.cap into a mail to zyxel support
  • step 6: wait for a response
  • step 7: come back here if you or zyxel support have any further questions

Regards
Kurt

(27 Dec '12, 06:51) Kurt Knochner ♦
1

For detailed usage info of editcap see here.

But going back to the original question, it seems to me that you've got a capture file you can load in Wireshark. If that is so then you could note the frame number of the first and last frame of the time span you are interested in sending to zyxel. Then go to the menu File|Save As... and define, at the bottom of the dialog, the packet range using the numbers you noted before.

(27 Dec '12, 06:54) Jaap ♦
1

Open a command prompt, cd to the directory containing the capture file, and then enter the command c:\program files\wireshark\editcap -A YYYY-MM-DD HH:MM:SS -B YYYY-MM-DD HH:MM:SS infile outfile where infile is the name of your source capture, outfile is the name of the output file, the -A parameter specifies the starting date and time for output packets and -B the ending date and time.

(27 Dec '12, 06:58) grahamb ♦

Time date formet not true (don't work) but I chose packet (333-768) and do it! Thanks!)

(27 Dec '12, 23:09) Kallikanzarosa
showing 5 of 10 show 5 more comments