This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

using Mergecap to combine many large files at once

0

Using the command "Mergecap" is great when you only have a handful of files (say less than 10) but i have an instance where I am generating lots of large files in Tshark (sizes = 200m @) from a single site and want to look at them in one continuous file instead of a file set. I also want to look at them in Pilot on occasion and when using Mergecap, I have to hand type each file in the string that I want to merge. A day's worth is often 140 files and 31G or more. Is there a way to take all the files in a given folder and merge them into a "superfile" all at once instead of that long string? The final file would get pretty big but Pilot is good up to 6 or so Gigs. Thanks

asked 26 Aug '11, 21:27

EricKnaus's gravatar image

EricKnaus
46192026
accept rate: 0%


One Answer:

2

Here are some examples:
$ mergecap *.cap -w test1.pcap
$ mergecap *.pcap -w test2.pcap
$ mergecap *.*cap -w test3.pcap

answered 27 Aug '11, 01:28

joke's gravatar image

joke
1.3k4934
accept rate: 9%

edited 27 Aug '11, 01:32

Thanks - those worked great!
An interesting caveat though is that while I am able to open 1G and greater files that were merged using Mergecap in WS1.7, I am unable to open the same file in Pilot. It returns a "link layer" error. Would this be an issue in the way WS merges multiple large files or something going on in Pilot. Here's another. When I used the merge within in the WS GUI, Pilot WAS able to read that. Strange

(27 Aug '11, 13:16) EricKnaus
2

That's because in WS1.7 the default file format has been changed to pcap-ng and pilot does not read pcap-ng files. Unfortunately there is no switch in the CLI utilities to save as pcap in WS1.7. You can either build your own version where you use the configure script to default back to pcap or you can use the CLI utilities of 1.6.1

(there needs to be a switch to save as pcap, but it is not developed yet)

(27 Aug '11, 15:13) SYN-bit ♦♦