This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Merging captures on 1.99.5

0

I'm looking into merging two captures of different encapsulation type for chronological packet analysis. On the current stable version of Wireshark (1.12.4), you are unable to do this via the GUI OR the CLI using mergecap (as mentioned, only if the encap type is different).

When using the devel version (1.99.5), I am able to successfully merge two different encapsualtion type captures (802.11+radiotap && ethernet) when using the GUI only. When using mergecap, I obtain the following:

$ mergecap -w "testmergefile.pcapng" wired.pcap wireless.pcap -vvv
mergecap: wired.pcap is type Wireshark/... - pcapng.
mergecap: wireless.pcap is type Wireshark/tcpdump/... - pcap.
mergecap: multiple frame encapsulation types detected
          defaulting to WTAP_ENCAP_PER_PACKET
          wired.pcap had type Ethernet (ether)
          wireless.pcap had type IEEE 802.11 plus radiotap radio header (ieee-802-11-radiotap)
mergecap: selected frame_type Per packet (per-packet)
mergecap: Can't open or create testmergefile.pcapng: Files from that network type can't be saved in that format

$ mergecap –version
Mergecap (Wireshark) 1.99.5 (v1.99.5-0-g7e8595c from master)

As mentioned, this works fine from the GUI, so I’m not sure if devel version uses mergecap in the background for merges, or something else? If it is something else, do we have the ability to invoke this via CLI for automation purposes?

asked 04 May ‘15, 10:59

thisisatestcaptures's gravatar image

thisisatestc…
6112
accept rate: 0%

edited 04 May ‘15, 13:15

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

0

This is a bug, for which an ongoing patch is under review here: https://code.wireshark.org/review/#/c/8293/

answered 04 May '15, 14:14

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%