While writing Understanding EIGRP Queries, I found myself in a predicament. I needed to record EIGRP traffic from five separate routed links within GNS3 and compare the packets from all captures in reference to a single chronology. Working off the timestamps recorded for each packet and examining the captures in parallel is an option, but cumbersome and prone to error. I wanted a single capture file containing the EIGRP packets from all five captures.
I quickly found
mergecap, part of the Wireshark package.
mergecap can combine packets from multiple captures into a single file, in chronological order:
stretch$ capinfos -c *.cap File name: R1_to_R3.cap Number of packets: 56 File name: R2_to_R3.cap Number of packets: 33 File name: R4_to_R1.cap Number of packets: 54 File name: R4_to_R3.cap Number of packets: 25 File name: R5_to_R3.cap Number of packets: 26 stretch$ mergecap -w all_routers.cap *.cap stretch$ capinfos -c all_routers.cap File name: all_routers.cap Number of packets: 194
A few notes:
- If intending to combine packets captured from different machines, ensure the machines' clocks have been synchronized tightly via NTP.
- Even with synchronized clocking, the ordering of packets may not be 100% accurate.
mergecapcan also be told to concatenate capture files in sequence, rather than chronologically, by appending the