A record is a capture file. It contains several packets captured
during a sniff. It can also be created by hand. There are 7 formats
for records: pcap (tcpdump compatible), bin (binary, unreadable by
humans but fast) and mixed/mixed_wrap/dump/hexa/hexa_wrap (easy to
read and edit). A record also has an associated DLT (Data Link Type),
indicating at which level a packet start: raw (start at IP header) and
ether (start at Ethernet header) are the 2 most common DLT. Tool 13
displays DLT of each device.
This tool searches a pattern in packets of a record, and saves
matching packets in another record. The pattern can be a string, a
mixed ('hello' 09 'bob'), or a regular expression.
Parameter --src-file indicates the input record filename.
Parameter --dst-file indicates the output record filename.
Parameter --recordencode defines how to encode data in this record
(suggested values: bin, pcap and mixed_wrap).
| parameter | description | example |
| -f|--src-file file | input record file | srcfile.txt |
| -F|--dst-file file | output record file | dstfile.txt |
| -r|--recordencode recordencode | encoding type for output record | bin |
| -p|--pattern data | searched pattern | |
| -c|--case|+c|--no-case | case sensitive | |
| -S|--string|+S|--no-string | search string | This boolean is set. Use + or --no- to unset it. |
| -M|--mixed|+M|--no-mixed | search mixed string | |
| -R|--regexp|+R|--no-regexp | search regular expression |