Hi, when merging two files (especially in chrononlogical order) it somethimes is nessecary to know from which file the corresponding line came. Is there any possibility to get that information in the columns? There's a "file" custom field, but it displays nothing. thanks & best regards, Björn asked 07 Aug '14, 06:09  McSlow |
One Answer:
The latest builds of mergecap usually write the originating files into the PCAPng file header comment field, so you can see it by looking at Statistics -> Summary. answered 07 Aug '14, 06:32  Jasper ♦♦ |
yes, but I'd need it for every packet, so that I can see which packet has been captured from which file or point after merging. Perhaps there's another approach to simultaneoulsy capture at several points in your network and put this in one timeline without getting confused :)
Current scenario was not too uncommon: (Multiple-)Server-Client connection, some "stuff" inbetween, some cross-connections between servers. Captured at all ends with tcpdump and merged all files in wireshark. Of course you will see a lot of packets twice or even n-times, recorded at src- and destination, but sometimes it's a mess to find out which end you're currently watching... :)
You could try to do that with TraceWrangler. It allows creating PCAPng file with one dedicated interface entry per source interface, so you should end up with a file where each packet is assigned it's own interface. Then you could add a column showing interface IDs and you're there.
TraceWrangler is available at http://www.tracewrangler.com
I have to admit that I didn't test the merge features as much as I should, but time is short and I wanted to release the version for Sharkfest :-)