This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Split and then merge again pcap file

0

Hi all, I split a pcap in 3 small pcap files and then I merged back altogether. I was supposing that the merged one is equal to initial file, but I found many differences. Could someone explain to me why?

Thanks

editcap test_initial.pcap test_A.pcap 1-300
tshark -nr test_initial.pcap -R "frame.number==301" -w test_B.pcap
editcap test_initial.pcap test_C.pcap 302-999999999

mergecap -w test_merged.pcap

test_A.pcap

test_B.pcap

test_C.pcap


tshark -nr test_initial.pcap -T pdml > test_initial.xml
tshark -nr test_merged.pcap -T pdml > test_merged.xml
diff test_initial.xml test_merged.xml

asked 03 Oct ‘13, 06:17

Ric79's gravatar image

Ric79
31449
accept rate: 0%

edited 03 Oct ‘13, 06:18

Can you post the initial pcap anywhere folks could have a look? What’s the capinfos report on the initial and merged pcaps?

(03 Oct ‘13, 06:23) grahamb ♦

@grahamb You can use a generic test_initial.pcap file…

(03 Oct ‘13, 23:17) Ric79

One Answer:

2

editcap will not save the listed packets by default. You need to use the "-r" flag to save frames 1-300 to a new file like this:

editcap -r test_initial.pcap test_A.pcap 1-300

answered 03 Oct '13, 07:22

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks.. after adding a "-r" flag to editcap, the process works nicely! Is there a way to use editcap also for extracting just ONE frame?

(03 Oct '13, 23:19) Ric79
1

Maybe try "editcap -r test_initial.pcap test.pcap 1-1"? :-)

(03 Oct '13, 23:24) Jasper ♦♦

Or just use "1":

$ editcap -r http.cap /tmp/x.pcap 1
Add_Selected: 1
Not inclusive ... 1
$ capinfos -Tc /tmp/x.pcap 
File name   Number of packets
/tmp/x.pcap 1

$
(04 Oct ‘13, 00:14) SYN-bit ♦♦

@Jasper … your solution is nice also for n-th frame, not just for the first one

editcap -r test_initial.pcap test_B.pcap 301-301
(04 Oct ‘13, 01:58) Ric79