Hello, I have a TDM interface which can capture LAPD traffic, and I have an Application which can output the captured packets both in pcap or in pcap-ng format and both to file or to output pipe. I need to capture on both an Ethernet interface and the TDM interface at the same time, and get a single common file containing captured packets from both interfaces. Issue #1: merge fails D:"c:mergecap.exe" -w merge-attempt.pcapng export-ether.pcapng export-lapd.pcapng -v Merging two pcapng files with same frame encapsulation types by Wireshark works fine, regardless the particular encapsulation type. As for the LAPD, encapsulations "LAPD" (203) and "LAPD with linux pseudo-header" (177) give same results when merged with "ether" (1). Issue #2: capture from a pipe doesn't accept pcapng Questions: Edit: the two minimalistic pcapng files illustrating the issue can be found here: Thank you asked 13 Sep '15, 04:02  sindy edited 11 Nov '15, 01:55 |
One Answer:
Although mergecap does not work (as you said) the following two methods do work for me with Wireshark 1.12.8 on Windows.
The merged file can be saved as pcapng. I used a sample pcapng file with LAPD encapsulation from bugs.wireshark.org If these methods don't work for you, please post two (small) sample files, so we can check. Edit: in Wireshark 2.0.0, drag-and-dropping both files opens just one of them, and for some reason, the ethernet encapsulated one is preferred regardless the order of their selection. Regards answered 10 Nov '15, 18:28  Kurt Knochner ♦ edited 05 Dec '15, 09:41 sindy Hi Kurt, I didn't know drag and drop of two files at once was possible, and it does work with my files in Wireshark 1.12.8/W7-64bit. Opening of one file followed by File->Merge of the other one does not work with the same two files (my current Wireshark freezes like the 1.12.7 did). As the drag and drop works, I'll accept your answer. As the "traditional method" works for you but does not work for me (same 1.12.8 but I don't know what is your OS), are you interested in the two files anyway? Pavel (10 Nov '15, 22:23) sindy I've added links to the simplest possible files to my question (one frame per file). I hesitate to file a bug as the importance for the community is low now as you've found the right way to fulfil the task. (11 Nov '15, 02:08) sindy |
OK, I'll answer to myself.
As of now, at least for the stable version, and although some page at Wireshark wiki states otherwise, pcapng is not an acceptable input to the pipe, dot.
And, as of now, the mergecap from the install package is not a suitable tool for the task either.
So the solution is: as you are able to generate pcapng in your application, it should not be a big deal for you to code your own "mergepcapng" application which will read the Ethernet frames from pcapng saved by Wireshark and LAPD frames with packet flags saved by your capturing application, and write them both into a pcapng file which, luckily, Wireshark is able to read. Your advantage over the Wireshark team is that you need not bother about support of all the timestamp resolutions, interface/system name merge/substitution etc. in an ad-hoc code.