Hi to all,
After merge 2 two pcap with the command "mergepcap -a 1.pcap 2.pcap -w result.pcap" the output from TShark and Wireshark is different.
In detail, if i open the result.pcap with TShark with this command, /usr/bin/tshark -r result.pcap -T fields -e tcp.stream -e frame.time -e tcp.checksum -R "tcp" | grep ".02696400" | more
The result is "20 Dec 15, 2011 11:12:20.026964000 0xf3a8"
When i open the result.pcap with Wireshark and the filter is tcp.stream eq 20 i don't have any record.
The same packet (Dec 15, 2011 11:12:20.026964000 0xf3a8) is visible if i put in the filter of wireshark "tcp.stream eq 56".
Why ???? i wrong when merge 2 pcap files ?
asked 11 Jan '12, 05:38
I doubt that the issue has anything to do with mergecap.
I don't specifically know why you get different results for
Do you get a different stream value if you remove the
answered 12 Jan '12, 08:31
Bill Meier ♦♦