merge pcap files

Question

I'm trying to merge 15 pcap files using wireshark. The merging is successful. I'm using appending function so that the second file is just added to the bottom of the first file. But when this is done, I get -ve value in time column. How can I change this? What I intend to do is, replace these 15 smaller files with this one merged files. enter image description here

time offsets are relative to the time if the first frame. You'll want to merge the frames instead of concatenating the files. See the `mergecap` command. — Stéphane Chazelas, Mar 24 '14 at 15:48

score 9 · Answer 1 · edited Jun 17 '14 at 06:55

9

You need to use mergecap without the -a option. This will merge them chronologically based on packet timestamp.

mergecap -w mergedfile.pcap files*.pcap

http://www.wireshark.org/docs/man-pages/mergecap.html

edited Jun 17 '14 at 06:55

TPS

2,483
5
27
45

answered Jun 17 '14 at 06:20

karyhead

191
1
3

score 2 · Answer 2 · answered Jun 27 '18 at 13:29

This can be done using joincap.

go get -u github.com/assafmo/joincap

To merge 1.pcap and 2.pcap:

joincap 1.pcap 2.pcap > merged.pcap

I wrote joincap to overcome what I believe is bad error handling by mergecap and tcpslice.
For more details go to https://github.com/assafmo/joincap.

merge pcap files

2 Answers2