mergecap

ADVANCED TOPICS
ANALYZE PCAP
OBTAIN PCAP
GET STARTED
Edit Pcap

Merge captures together
2 min |  Ross Jacobs |  March 3, 2019

Table of Contents

Quicklinks: manpage | Wireshark Docs | code


Why combine captures

  • You captured with a ring buffer with tshark -b files:$NUM, and need one file
  • You split the file up with editcap -c/-i
  • You have a program that accepts one file as input and you have multiple
  • You want to aggregate all instances of a problem found in multiple captures, remove non-relevant traffic, and then send it to a colleague.

Caveats

Input captures should be correctly ordered

mergecap assumes that all packet captures are already correctly ordered. If one of the source capture has out-of-order packets, the merged capture will have unpredictably located, out-of-order packets.

Default capture type is pcapng

mergecap will save a file as pcapng unless a different capture type is specified. This means that mergecap file1.pcap ... -w merged.pcap will have a pcap extension but filetype pcapng.

Examples

  • Combine all .pcap files in current directory

      mergecap *.pcap -w merged.pcapng
    
  • Combine all files recursively in a directory ( inspiration)

      find /path/to/dir -type f -maxdepth 2 \
        | xargs mergecap -w merged.pcapng
    
  • Same as above, but reorder all pcaps before merging (preempts caveat)

      find /path/to/dir -type f -maxdepth 2 \
        | xargs -I"{}" reordercap "{}" "{}" \
        | xargs mergecap -w merged.pcapng
    

Similar Tools

Joincap

joincap is a go-based tool that merges captures together, but avoids these errors:

  • Corrupt input global header
  • Corrupt input packet header
  • Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated)
  • Input file doesn’t exists
  • Input file is a directory

Tcpslice

tcpslice merges captures together with 1.5X throughput and speed compared to mergecap (based on mergecap v2.4.5 testing). It has fewer features: Namely, it can only merge and select packets based upon timestamp. It will also fail if the difference between timestamps exceeds a year.

Similar Articles