7

i have a pcap file captured using wireshark. suppose the pcap has 6 packets numbered from 1 to 6 as shown below. now i want to edit this pcap file so that i get the packets in some different order. For eg, if original pcap packets are 

1,2,3,4,5,6

i want a new pcap after editing, where now packets are in the order (say for example) as :

2,3,1,4,5,6

similarly i can have some other order for eg, 2,4,5,6,1,3 or any other order.

Can anyone let me know how can i do that ? (may be using wireshark or any other method). any help will be greatly appreciated. thanks

mezda
  • 3,537
  • 6
  • 30
  • 37

1 Answers1

14

You can use combination of editcap and mergecap

To solve your problem:

editcap -r in.pcap tmp1 2-3
editcap -r in.pcap tmp2 1
editcap -r in.pcap tmp3 4-6
mergecap -w out.pcap -a tmp1 tmp2 tmp3
vy32
  • 28,461
  • 37
  • 122
  • 246
graphite
  • 2,920
  • 22
  • 40
  • thanks for the reply. i tried this thing, but its not working. from above it seems that "2-3 1-1 4-6" is the order in which we want the packets in the resulting pcap. But this gives all the packets mentioned in the same order. With the above command, in.pcap (having only 6 packets) and out.pcap were same. Is this working for you ? – mezda Oct 09 '12 at 05:47
  • Was shure it worked for me. But it doesn't. You can still use combinatinon of editcap and mergecap. I'll update the answer. – graphite Oct 09 '12 at 06:34