This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there a way to edit a pcap file to remove addresses?

0

I have a saved pcap file that needs to be edited to remove address. Then save the file back as pcap so the Wireshark features can be used.

I’m exporting the file. Export -> Export Packet Dissection -> as Plain Text file. Make the changes. Now I need to import the file and save as pcap.

Is this possible?

Any help is worth a beer or two!

asked 28 Feb '13, 18:45

VoIP%20This's gravatar image

VoIP This
16114
accept rate: 0%

edited 16 Mar '13, 10:53

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


3 Answers:

4

If ultimate purpose is just editing the pcap file, I would suggest using a pcap editing tool like bittwist, libcrafter,editcap,tcprewrite,netdude or powereditpcap. It would be way easier to use these tools than exporting as txt, editing it and exporting back as pcap.

answered 28 Feb '13, 23:04

SidR's gravatar image

SidR
245121722
accept rate: 30%

Thanks SidR. I'll have to read up on the above tools in order to edit out the public addresses and replace them with pseudo addresses. Once again thanks SidR.

(14 Mar '13, 13:07) VoIP This

editcap won't work for this purpose - it doesn't understand packet payloads - but at least some of the other tools should be able to do that.

(13 Apr '16, 17:52) Guy Harris ♦♦

0

Another library you can use it PcapPlusPlus (github repo). It has all sorts of parsing and editing capabilities, among them is editing IP addresses

answered 13 Apr '16, 14:17

seladb's gravatar image

seladb
11
accept rate: 0%