wireshark封包檔案分割

如果想研究pcapng和pcap檔案格式可以看wireshark原始碼

tcpdump預設使用的pcap
https://github.com/wireshark/wireshark/blob/master/wiretap/libpcap.h

wireshark預設使用的pcapng
https://github.com/wireshark/wireshark/blob/master/wiretap/pcapng.h

老陳獨白: pcap檔案格式解析
http://myblog-maurice.blogspot.tw/2012/02/pcap.html

以封包數分割檔案

Linux  editcap -c 1000 test.pcapng out.pcapng

Windows 10 PowerShell e.g.
  &"C:\Program Files\Wireshark\editcap.exe" -c 1000 test.pcapng out.pcapng

合併分割的封包檔案

mergecap -w merged.pcapng source_files_* 

選取特定封包內容

editcap -r capture.pcap select.pcap 1 5 10-20 30-40

選取1, 5, 10到20, 30到40號封包

pcapng轉換成pcap

editcap -F libpcap .pcapng out.pcap

顯示所有封包的MD5

Linux
  editcap -v -D 0 capture.pcap /dev/null

Windows
  editcap.exe -v -D 0 capture.pcap NUL

Windows 10 PowerShell e.g.
  &"C:\Program Files\Wireshark\editcap.exe" -v -D 0 test.pcapng NUL

參考資料

wireshark文件分割與合併
https://blog.csdn.net/qq_20480611/article/details/50774686

Editcap Guide: 11 Examples To Handle Network Packet Dumps Effectively
https://www.thegeekstuff.com/2009/02/editcap-guide-11-examples-to-handle-network-packet-dumps-effectively