Merging Packet Captures
By stretch | Thursday, March 25, 2010 at 3:32 a.m. UTC
While writing Understanding EIGRP Queries, I found myself in a predicament. I needed to record EIGRP traffic from five separate routed links within GNS3 and compare the packets from all captures in reference to a single chronology. Working off the timestamps recorded for each packet and examining the captures in parallel is an option, but cumbersome and prone to error. I wanted a single capture file containing the EIGRP packets from all five captures.
I quickly found
mergecap, part of the Wireshark package.
mergecap can combine packets from multiple captures into a single file, in chronological order:
stretch$ capinfos -c *.cap File name: R1_to_R3.cap Number of packets: 56 File name: R2_to_R3.cap Number of packets: 33 File name: R4_to_R1.cap Number of packets: 54 File name: R4_to_R3.cap Number of packets: 25 File name: R5_to_R3.cap Number of packets: 26 stretch$ mergecap -w all_routers.cap *.cap stretch$ capinfos -c all_routers.cap File name: all_routers.cap Number of packets: 194
A few notes:
- If intending to combine packets captured from different machines, ensure the machines' clocks have been synchronized tightly via NTP.
- Even with synchronized clocking, the ordering of packets may not be 100% accurate.
mergecapcan also be told to concatenate capture files in sequence, rather than chronologically, by appending the
March 25, 2010 at 3:38 a.m. UTC
Thanks for such wonderful tip. It means timestamp is only calculated on the basics of clock. Another question If I am not getting clock from global server, will it work or not?
March 25, 2010 at 5:34 a.m. UTC
@shivlu: Oh, it'll merge the captures no problem. The issue is that if the clocks on the different machines were off significantly at the time of capture the packets may not be merged in their actual chronological order.
March 25, 2010 at 2:16 p.m. UTC
Sake Blok gave a good presentation at SharkFest 2008 on how to merge files if the clocks are different. http://www.cacetech.com/SHARKFEST.08/, it's the D01_Blok_Advanced Scripting, Command Line Usage with tshark.ppt one.
FWIW he's slated to give a similar talk this year. It's a great conference, I'll be there giving a talk on VoIP.