Is there a way to edit a pcap file to remove addresses?

I have a saved pcap file that needs to be edited to remove address. Then save the file back as pcap so the Wireshark features can be used.

I’m exporting the file. Export -> Export Packet Dissection -> as Plain Text file. Make the changes. Now I need to import the file and save as pcap.

Is this possible?

Any help is worth a beer or two!

import export

asked 28 Feb '13, 18:45

VoIP This
16●1●1●4
accept rate: 0%

edited 16 Mar '13, 10:53

Guy Harris ♦♦
17.4k●3●35●196

3 Answers:

active answers oldest answers newest answers popular answers

If ultimate purpose is just editing the pcap file, I would suggest using a pcap editing tool like bittwist, libcrafter,editcap,tcprewrite,netdude or powereditpcap. It would be way easier to use these tools than exporting as txt, editing it and exporting back as pcap.

permanent link

answered 28 Feb '13, 23:04

SidR
245●12●17●22
accept rate: 30%

Thanks SidR. I'll have to read up on the above tools in order to edit out the public addresses and replace them with pseudo addresses. Once again thanks SidR.

(14 Mar '13, 13:07) VoIP This

editcap won't work for this purpose - it doesn't understand packet payloads - but at least some of the other tools should be able to do that.

(13 Apr '16, 17:52) Guy Harris ♦♦

Some resources on anonymizing network traces:

a Sharkfest presentation on trace file anonymization, which mentions some tools;
an answer to another ask.wireshark.org question on this topic;
an e-mail message I sent on the tcpdump-workers mailing list answering somebody's question about anonymization;
an anonymizing tool mentioned in the FAQ for the CAIDA data sets;
another anonymizing tool mentioned in a blog post about it;
still another tool that showed up in the Google search I used to find these resources;
and another packet manipulating tool whose Wiki gives an example of how to anonymize IPv4 addresses with it;
and another tool linked to by the site for the CRAWDAD data sets.

permanent link

answered 16 Mar '13, 11:11

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

0	Another library you can use it PcapPlusPlus (github repo). It has all sorts of parsing and editing capabilities, among them is editing IP addresses permanent link answered 13 Apr '16, 14:17 seladb 1●1 accept rate: 0%

Your answer

toggle preview

community wiki:

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Question tags:

export ×76
import ×15

question asked: 28 Feb '13, 18:45

question was seen: 19,791 times

last updated: 13 Apr '16, 17:52

Is there a way to edit a pcap file to remove addresses?

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions