Hello, I have the toplology as below. Host1-(eth1)------ Switch ----(eth2)-Host2 Some traffic is flowing between Host1 and Host2 and Host3. I dont have an access to the switch. I have captured the traffic at eth1 of Host1 and eth2 of Host2 and eth3 of Host3. It is more than a 1GB of file. When Host1 sends a traffic to host2 ,traffic is captured at eth1 and eth2 is almost same. I want to know how much is the total traffic flowing in this cluster when running particular job. So I combine this two wireshark pcap file I have merged two file using mergecap -w new.pcap eth1.pcap eth2.pcap But I think it just add this two file and it is same data twice. How can i have all the captured file in a single file without repeating the same traffic twice. Thanks in advance! Thanks Navaz asked 26 Aug '14, 15:42  navaz edited 15 Sep '14, 22:30  Guy Harris ♦♦ |
One Answer:
The best solution would be to not capture the same traffic at both endpoints, as there is no benefit doing so in your environment. Anyway, if you don't want to (or can't) change that, here is what you can do:
Regards answered 27 Aug '14, 07:03  Kurt Knochner ♦ |
Thank you Kurt for your response. I have used the above command editcap -D 20 in out , which removed only few packets. What is the number "20" ? I checked the man and it says "window size" . How can we know what window size we need to chose? Its between 1 to 1000000 ? How does it effect the result ?