This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

removing duplicate packets from pcap

0

I want to analyze packet capture file, but it has some duplicate packets.

For e.g., I am setting packet count to 10000 and seeing 11085 count in wireshark. So the goal is to remove duplicate packets which are 1085 in count. I am using latest wireshark version 1.10.2.

I would like to know if there is any way (command line option) using which I can discard duplicate packets and make new pcap with all unique packets.

asked 15 Oct '13, 06:43

npatel's gravatar image

npatel
11336
accept rate: 0%

edited 15 Oct '13, 07:52

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237

One Answer:

2

You can use editcap to remove duplicate frames.

editcap -d input.pcap output.pcap

See the man page for editcap: http://www.wireshark.org/docs/man-pages/editcap.html Options: -d, -D or -w

Regards
Kurt

answered 15 Oct '13, 06:51

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt!

(15 Oct '13, 07:17) npatel