“PCAP or it didn’t happen” - is a common joke (read gripe) amongst network engineers when called upon by the application team blaming the network for the app’s poor performance.
PCAP files are often used to analyze networking problems and deemed-to-be networking problems. They are useful because they give us a low level view about what’s happening close to the wire - you can view and analyze PCAP files using the excellent Wireshark tool.
Often you also need to replay the PCAP back in a lab or controlled environment to further analyze the problem or debug it. But even when you have a PCAP file to replay, it may not be possible to replay it as-it-is since the replay environment is different from the capture environment in terms of network topology, IP addresses etc. So you will need to edit the PCAP file to make it suitable to replay in your reproducer environment by changing MAC/IP addresses or VLANs and potentially even other fields.
Here are some tools that can help you edit PCAP files (or the newer pcapng files).
editcap
Wireshark comes with a useful set of PCAP related tools including one called editcap. It can do a bunch of useful things like translate the pcap file format, select only specified packets from the pcap file to write to the output pcap(ng) file, remove duplicate packets, truncate packets, split one input PCAP file into multiple output PCAP files, adjust the timing of the packets etc.
The name could be misleading though, because what editcap
cannot do is to edit the contents of the packets like changing packet fields like Mac/IP addresses within the packets.
To do that use any of the other tools.
tcprewrite
tcprewrite (from the creators of tcpreplay) is a command-line tool that can edit PCAPs and supports modifying all the common packet fields -
- Layer 2: Src/Dst Mac, VLANs
- Layer 3: IPv4/IPv6 addresses (with some useful NAT related rewrites), IPv4 TOS (or DSCP), TTL, IPv6 Traffic Class and Flow label
- Layer 4: TCP/UDP port numbers
Changing packet fields may require to recalculate and fix packet checksums and tcprewrite has a flag (--fixcsum
) to do that as well as truncate or pad (--fixlen
) packets to match the actual packet length to the value specified in the IPv4 header.
TraceWrangler
Although it can do other things too, the primary focus of TraceWrangler is to anonymize, sanitize and scrub PCAP files to that you can remove private and confidential information before sharing a PCAP file.
Using a GUI, you can select your anonymization/randomization options that will be applied to one (or more) input PCAP files.
TraceWrangler is Windows only (but expected to work with WINE on Linux).
Ostinato
Although Ostinato is primarily a packet generator, it can import packets from a PCAP file into native Ostinato streams and then using the familiar Find & Replace paradigm, bulk edit any packet field of any (Ostinato supported) protocol to the desired value across all (or some) of the imported packets.
You can also edit streams/packets one by one, if required. Once all desired changes have been made, you can save the modified streams as another PCAP file or directly replay the packets.
WireEdit
WireEdit is the big daddy of all pcap editors. It supports a large number of protocols that it can decode and edit packet fields in-place within a Wireshark-like GUI or using Find & Replace.
These are only some pcap editor tools. You can find more PCAP tools at Wireshark Tools.
All these tools are desktop tools that you need to download and run. Although there are many web based online PCAP viewers, we haven’t found an online PCAP editor yet.