How to concatenate two tcpdump files (pcap files)

networking tcp wireshark pcap tcpdump
36,098

Solution 1

mergecap can resolve your issue, but you must use it with '-a' option, otherwise it reorders packets temporally. Then: mergecap -a file_1.pcap file_1.pcap file_1.cap -w output_file.pcap

Solution 2

As the other answers say, you can use File->Merge in Wireshark, tcpslice, or mergecap. You can also drag a file into Wireshark's main window. If Wireshark/tcpdump/snort/Ntop/etc supported pcap-ng, you'd be able to simply concatenate your capture files.

Solution 3

Wireshark has the File -> Merge command which should do this.

I also remember mergecap being a tool to do so, but I haven't used it in a while.

Solution 4

Use mergecap from Wireshark:

mergecap ... -w output.cap

Solution 5

to join multiple pcap, use this batch script

all pcap files must be in the same folder that batch script located and also first pcap file must be named 01.pcap and second must be 02.pcap when you dir the directory, there is no other limitation.

@echo off
@setlocal enableextensions enabledelayedexpansion

set /a var1=1
set mergecapL="C:\Program Files\Wireshark"

dir /b *.pcap > list.txt
%mergecapL%\mergecap.exe -w %cd%\out%var1%.pcap %cd%\01.pcap %cd%\02.pcap
FOR /F "skip=2 delims=" %%A IN (list.txt) DO (
    set var2=!var1!
    set /a var1+=1
    %mergecapL%\mergecap.exe -w %cd%\out!var1!.pcap %cd%\out!var2!.pcap "%cd%\%%A"
    del out!var2!.pcap
)
del list.txt
Share:
36,098
Admin
Author by

Admin

Updated on July 09, 2022

Comments

  • Admin
    Admin almost 2 years

    How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.

  • Admin
    Admin almost 15 years
    But don't they all just merge packet data, without caring about sequential numbers and shift of the packets in time, so that one concatenation segment is placed after another in time.
  • Gerald Combs
    Gerald Combs almost 15 years
    If you use File->Merge or mergecap you have the option of prepending, merging chronologically (interleaving according to timestamps), or appending.
  • Léo Lam
    Léo Lam about 9 years
    Why use a commercial, closed-source, limited tool when you have mergecap?
  • Clayton Dukes
    Clayton Dukes over 8 years
    Note that mergecap is part of the "wireshark-common" package in debian-based distros

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TCP Server sends [ACK] followed by [PSH,ACK]
tcpdump filter for tcp zero window messages
tcpdump capturing tcp resets by host
tcpdump: snaplen set to 0 but still get "Packet size limited during capture"?
what does this wireshark info refer to
Stripping payload from a tcpdump?
Parsing pcap taken from wireshark file using - Java
TCP Dup ACK/Retransmission, bad configuration?
tcpdump read both ipv4 and ipv6 packets from pcap
Capture only TCP SYN-ACK packets with tcpdump