TraceWrangler - Packet Capture Toolkit
Introduction
TraceWrangler is a network capture file toolkit running on Windows (or on Linux, using WINE) that supports PCAP as well as the new
PCAPng file format, which is now the standard file format used by Wireshark. The most prominent use case for TraceWrangler is the easy
sanitization and anonymization of PCAP and PCAPng files (sometimes called "trace files", "capture files" or "packet captures"), removing or replacing sensitive data
while being easy to use.
Features
- utility to read, write and modifiy PCAPng files
- Sanitization/Anonymization/Scrubbing of packet captures created by Wireshark/TCPDump/etc.
- Editing packets in batch, especially by removing certain protocol layers like MPLS, GRE or GTP-u, or to convert Linux cooked captures to Pseudo-Ethernet
- Merging capture files, especially PCAPng files with more than one interface and using filters to keep only certain frames
- Gathering and aggregating packet details about a large number of capture files, like IP, TCP and UDP conversations
- Displaying the PCAPng specific block structure of a file
- extracting conversations from multiple files to new capture files, based on manual filters, capture file indicator frames, or Snort alerts
Screenshot
License and Certificates/Hashes
Tracewrangler is freely available as open source, and is released under the GNU General Public License version 2.
Update 20th of May, 2025:
I haven't worked on Tracewrangler much the last couple of months (years :-/). Also, my build pipeline is not working correctly anymore, and I need to fix it (among many other things).
This means that
- Tracewrangler is currently not signed by a code signing certificate because I didn't renew it for quite some time. They're not cheap and there's a lot of hassle to get them.
- Tracewrangler is also not GPG signed by my PGP key below because my GPG setup seems broken and unable to find/work with my keystore (why is PGP/ GPG so damn complicated/difficult to use?! Yeah, I know, overengineered...)
- the source code ZIP file is outdated because I need to work on it to be compatible with the free Delphi version which I do not have (yet)
Download
Created: January 12, 2025
32bit version: TraceWrangler Beta 0.6.9 build 984
MD5 (32bit zip): ce4a4c9c159f31b6ab151f8234b065eb
64bit version: TraceWrangler Beta 0.6.9 build 984
MD5 (64bit zip): 03ab18e52617cf9345c16024ed3b3500
Source Code: TraceWranglerSrc_0.6.8.zip (outdated)
My GPG public key can be found here
Documentation
Documentation is available online, as well as a Windows help file inside the download container. There also is a PDF File.
Presentations
You can also take a look at my presentation
I did about anonymizing network packet trace files at Sharkfest 2013.
Changelog and Updates
There is a ChangeLog available, listing all the changes for published versions (outdated, too. Sorry.).
Updated versions will also be announced via BlueSky (@packetjay).
Feedback and Known Issues
Sent feedback about bugs, feature requests and other topics to "jasper [ät] packet-foo.com". My PGP key is found here.
If you sent bug reports, please include
- a description of how to reproduce the problem
- a short sample trace, if possible
- the .task file you used, if you still have it.
TraceWrangler has some limitations at the moment (which may most likely last a little longer than just "a moment"):
- The maximum trace file size is less than 2GBytes. This limitation is a result of the way the files are read by using Memory Mapped files. I'll work on this "when there is time"tm.
- Capture files that contain truncated or damaged frames may not work under all circumstances. I recommend using captures that contain full sized frames. Reason for this is that I may have been lazy
in some parts of the code where I do sanity checks against the length of the data available for processing, which is a great way to run some pointers into the great beyond. Ouch.
- IPv6 checksums may not be calculated correctly when extension headers (including fragmentation headers) are used in a frame.
Thanks, and have fun,
Jasper