Merging trace files with Mergecap_Wireshark Revealed：Essential Skills for IT Professionals-QQ阅读男生武侠网

上QQ阅读APP看书，第一时间看更新

Merging trace files with Mergecap

You can use Mergecap to merge two or more trace files into one file. The basic syntax is as follows:

mergecap –w <outfile.pcapng> infile1.pcapng infile2.pcapng …

For example:

mergecap –w merged.pacap source1.pcapng source2.pcapng source3.pcapng

One useful option you sometimes may want to use in Mergecap (and several of the other command-line utilities) is –s <snaplen>. This will truncate the packets at the specified length past the start of each frame, resulting in a smaller file; a typical value for <snaplen> is 128 bytes:

mergecap –w merged_trimmed.pcapng -s 128 source1.pcapng source2.pcapng

Mergecap batch file

If the capture files you want to merge have a variety of naming formats, you can create a MergeTraces.bat file containing the following Windows batch commands:

@echo off
cls
echo MergeTraces.bat
echo.
echo Merges multiple packet trace files with a .pcapng extension into one .pcapng file
echo.
echo Usage: Copy MergeTraces.bat into the directory with the .pkt files and execute
echo The utility will generate a 'MergedTraces.pcap' file 
echo and a 'MergedFileList.txt' file which lists the .pcapng files processed.
echo.
echo.
echo IMPORTANT!! You must type 'CMD /V:ON' from this window which enables 
echo 'Delayed environment variable expansion' in order to properly execute
echo this batch utility.
echo.
echo You must also add the path to Wireshark's mergecap.exe to your path statement.
echo.
echo If you've not done this, Type Ctrl-C to exit; Otherwise
pause
echo.
echo Deleting old MergedFileList.txt...
if exist "MergedFileList.txt" del MergedFileList.txt
for %%f in (*.pcap-ng) do echo "%%f" >> MergedFileList.txt
echo Deleting old MergedTraces.pcapng...
if exist "MergedTraces.pcapng" del MergedTraces.pcapng
echo Preparing to merge:
echo.
type MergedFileList.txt
echo.
echo Merging..........
set FILELIST=
for %%f in (*.pcap-ng) do set FILELIST=!FILELIST! %%f
:: DEBUG
:: echo %FILELIST%
mergecap -w MergedTraces.pcapng %FILELIST%
echo.
if exist MergedTraces.pcapng @echo Done!
if NOT exist MergedTraces.pcapng @echo Error!! -- Check your settings.
echo.

Copy the batch file into a directory containing just the packet trace files you want to merge and execute it. The batch file will merge all the .pcapng files into one file called MergedTraces.pcapng. This is much easier than trying to specify a long list of unique source files in a command line, especially if the filenames contain date-time stamps. If you need to work with the .pcap files, change all instances of .pcapng to .pcap in the batch commands; you can also alter the output filename as desired.

Note

You can also merge trace files by clicking-and-dragging the files into the Wireshark desktop. The files will be merged in chronological order based on their timestamps after selecting Merge from the Wireshark File menu. This works reasonably well as long as the total file size doesn't exceed 1GB.

You can get more info and examples of Mergecap options at https://www.wireshark.org/docs/man-pages/mergecap.html.