On Jan 15, 2008, at 3:04 PM, Renata Wowk wrote:
I need to create from a capture file, a new .pcap file with only the
header information: data: tcp, ip and the ethernet header data.
The new file will have the same packet numbers from the original
one, but only with the header data without the payload.
How can I create this filter at Wireshark ?
You can't. A "display filter" doesn't filter out information from
packets, it filters out packets from a capture - i.e., a display
filter says "select only these packets", not "select only these parts
of the packets".
There isn't a good mechanism in any of the tools that come with
Wireshark for discarding the TCP payload from a capture; you could try
using editcap with a "-s" flag, where the "-s" value is the sum of the
length of the largest IP and TCP headers and the length of the
Ethernet header, but you'd have to guess what the largest IP and TCP
headers are, or pick a value that you hope will be large enough. If
it's too small, a packet with more IP or TCP options than you guessed
will have its headers cut short; if it's too large, you'll get some
packet payload as well as the headers.
However, it appears that Bit-Twist's "bittwiste" program could be used
on libpcap files to strip out everything after the TCP header; the man
page for bittwiste says:
OPTIONS
...
-L layer
Copy up to the specified layer and discard the remaining data.
Value for layer must be either 2, 3 or 4 where 2 for Ethernet, 3 for
ARP or IP, and 4 for ICMP, TCP or UDP.
See
http://bittwist.sourceforge.net/
for Bit-Twist.