removing duplicate packets from pcap

I want to analyze packet capture file, but it has some duplicate packets.

For e.g., I am setting packet count to 10000 and seeing 11085 count in wireshark. So the goal is to remove duplicate packets which are 1085 in count. I am using latest wireshark version 1.10.2.

I would like to know if there is any way (command line option) using which I can discard duplicate packets and make new pcap with all unique packets.

duplicate packets wireshark

asked 15 Oct '13, 06:43

npatel
11●3●3●6
accept rate: 0%

edited 15 Oct '13, 07:52

Kurt Knochner ♦
24.8k●10●39●237

One Answer:

active answers oldest answers newest answers popular answers

You can use editcap to remove duplicate frames.

editcap -d input.pcap output.pcap

See the man page for editcap: http://www.wireshark.org/docs/man-pages/editcap.html Options: -d, -D or -w

Regards
Kurt

permanent link

answered 15 Oct '13, 06:51

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

Thanks Kurt!

(15 Oct '13, 07:17) npatel

Your answer

toggle preview

community wiki:

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Question tags:

wireshark ×1,620
packets ×205
duplicate ×41

question asked: 15 Oct '13, 06:43

question was seen: 37,321 times

last updated: 16 Nov '16, 02:16

removing duplicate packets from pcap

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions