This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Editing a .cap-file

0

Hello! I have captured the PPPoE/PPP-Session Packets at my DSL-Router and want to use the .cap file for Trainings. Naturally I want to remove my PAP-ID and Password for Security reasons. How can I edit a .cap-File? I tried the Windows Editor, but it alters something in the file so that Wireshark refuses to open it.

Any suggestions?

asked 01 Aug '13, 02:08

udo229's gravatar image

udo229
16114
accept rate: 0%


3 Answers:

2

PCAP files are binary files so you can't edit them with most text editors. Some UNIX/Linux editors like vile (Vi Like Emacs) advertise themselves as being 8-bit clean (so you can edit binary files without destroying them) but still aren't ideal for editing binary files.

A much better solution in the UNIX/Linux (and also Cygwin) worlds is bvi. It is a true hex editor. I've edited PCAP files with it before (with Wireshark running on the side) and it has worked well enough for small changes.

There may be native Windows binary editors but I'm not aware of them.

Wireshark does have some basic/experimental packet editing features but they are not compiled in by default; to get them you would need to compile your own version of Wireshark with the feature enabled.

answered 01 Aug '13, 06:16

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Perfect! I found a binary Editor for Windows (FrHed) and it worked out perfect!

Thank You very much!

(01 Aug '13, 06:41) udo229

0

You can use HxD, a freeware hex editor, to edit capture files. It works fine on Windows.
You can download HxD here.

answered 04 Aug '13, 22:45

joke's gravatar image

joke
1.3k4934
accept rate: 9%

0

There is also TraceWrangler, a capture sanitisation tool for pcapng files made by @Jasper. I don't know if it deals with PPP Id's and passwords though.

answered 05 Aug '13, 01:49

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

no, it does not handle ppp headers yet, but I admit that this question made me look at a trace to see how much work it is :-)

(05 Aug '13, 02:57) Jasper ♦♦