Merging Packet Captures

By stretch | Thursday, March 25, 2010 at 3:32 a.m. UTC

While writing Understanding EIGRP Queries, I found myself in a predicament. I needed to record EIGRP traffic from five separate routed links within GNS3 and compare the packets from all captures in reference to a single chronology. Working off the timestamps recorded for each packet and examining the captures in parallel is an option, but cumbersome and prone to error. I wanted a single capture file containing the EIGRP packets from all five captures.

I quickly found mergecap, part of the Wireshark package. mergecap can combine packets from multiple captures into a single file, in chronological order:

stretch$ capinfos -c *.cap
File name:           R1_to_R3.cap
Number of packets:   56

File name:           R2_to_R3.cap
Number of packets:   33

File name:           R4_to_R1.cap
Number of packets:   54

File name:           R4_to_R3.cap
Number of packets:   25

File name:           R5_to_R3.cap
Number of packets:   26
stretch$ mergecap -w all_routers.cap *.cap
stretch$ capinfos -c all_routers.cap
File name:           all_routers.cap
Number of packets:   194

A few notes:

  • If intending to combine packets captured from different machines, ensure the machines' clocks have been synchronized tightly via NTP.
  • Even with synchronized clocking, the ordering of packets may not be 100% accurate.
  • mergecap can also be told to concatenate capture files in sequence, rather than chronologically, by appending the -a argument.

About the Author

Jeremy Stretch is a network engineer living in the Raleigh-Durham, North Carolina area. He is known for his blog and cheat sheets here at Packet Life. You can reach him by email or follow him on Twitter.

Comments


shivlu
March 25, 2010 at 3:38 a.m. UTC

Stretch

Thanks for such wonderful tip. It means timestamp is only calculated on the basics of clock. Another question If I am not getting clock from global server, will it work or not?


stretch
March 25, 2010 at 5:34 a.m. UTC

@shivlu: Oh, it'll merge the captures no problem. The issue is that if the clocks on the different machines were off significantly at the time of capture the packets may not be merged in their actual chronological order.


Sean (guest)
March 25, 2010 at 2:16 p.m. UTC

Sake Blok gave a good presentation at SharkFest 2008 on how to merge files if the clocks are different. http://www.cacetech.com/SHARKFEST.08/, it's the D01_Blok_Advanced Scripting, Command Line Usage with tshark.ppt one.

FWIW he's slated to give a similar talk this year. It's a great conference, I'll be there giving a talk on VoIP.

Sean

Comments have closed for this article due to its age.