This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark merging pcap files

0

I'm trying to merge 15 pcap files using wireshark. The merging is successful. I'm using appending function so that the second file is just added to the bottom of the first file. But when this is done, I get -ve value in time column. How can I change this? Below given is the last packet of first file and first packet of second file with latter with a negative time. What I intend to do is, replace these 15 smaller files with this one merged files.

 No      time           Source           Dest.           Protocol Length  Info
4873    10.107185   192.168.10.107  224.10.10.107   UDP 526 Source port: 10711  Destination port: 20711
4874    -8.831791   192.168.11.104  224.11.11.104   UDP 526 Source port: 10431  Destination port: 20431

asked 24 Mar '14, 07:46

jichu's gravatar image

jichu
11447
accept rate: 0%

edited 24 Mar '14, 08:59

3 Answers:

1

I'm using appending function so that the second file is just added to the bottom of the first file.

don't use append mode (omit -a) in mergecap.

Regards
Kurt

answered 24 Mar '14, 08:53

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

@Kurt If I dont append, will the merge function do the same? Because what I need is a big file that replaces the 15 smaller files.

(24 Mar '14, 08:56) jichu

Just try it ;-)

(24 Mar '14, 09:01) Kurt Knochner ♦

1

I'm trying to merge 15 pcap files using wireshark.

If those were separate captures, done in sequential order, so that the second capture was started after the first capture finished, the third capture was started after the second capture finished, etc., then simply concatenating them will work, as the packets will be in order by the time stamp (assuming the packets in the captures themselves are in order by the time stamp; some packet capture mechanisms can, sadly, deliver packets out of time order).

Otherwise, you MUST NOT concatenate them, as you will have packets out of order and thus have negative time deltas.

"Append mode" does concatenation, so you must not use it except in the circumstance I describe in my first paragraph.

answered 24 Mar '14, 20:00

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

@GuyHarris the capture files are in sequential order. But if I was to do a merge instead of append, would wireshark or mergcap automatically, re order it?

(25 Mar '14, 03:10) jichu

So, in your example, packet 4873 was captured before packet 4874 was captured?

If so, then, if you used append mode, either packet 4873 has an invalid time stamp or packet 4874 has an invalid time stamp (or both have invalid time stamps), meaning that whatever capture mechanism supplied the time stamps has a bug or the clocks were set wrong at the time the packet or packets were captured.

If not, then the capture files are not in sequential order, as you claim that packet 4873 is the last packet of the first file and packet 4874 is the first packet of the second file, so if packet 4874 wasn't captured after packet 4873 was captured, then the second file was started before you were finished with the first file.

(25 Mar '14, 07:38) Guy Harris ♦♦

0

You can use reordercap (comes with Wireshark since 1.10) to reorder frames according to their timestamps. That should get rid of negative delta times.

answered 24 Mar '14, 08:47

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%