How to concatenate two tcpdump files (pcap files)
Solution 1
mergecap can resolve your issue, but you must use it with '-a' option, otherwise it reorders packets temporally. Then: mergecap -a file_1.pcap file_1.pcap file_1.cap -w output_file.pcap
Solution 2
As the other answers say, you can use File->Merge in Wireshark, tcpslice, or mergecap. You can also drag a file into Wireshark's main window. If Wireshark/tcpdump/snort/Ntop/etc supported pcap-ng, you'd be able to simply concatenate your capture files.
Solution 3
Wireshark has the File -> Merge command which should do this.
I also remember mergecap being a tool to do so, but I haven't used it in a while.
Solution 4
Use mergecap from Wireshark:
mergecap ... -w output.cap
Solution 5
to join multiple pcap, use this batch script
all pcap files must be in the same folder that batch script located and also first pcap file must be named 01.pcap and second must be 02.pcap when you dir the directory, there is no other limitation.
@echo off
@setlocal enableextensions enabledelayedexpansion
set /a var1=1
set mergecapL="C:\Program Files\Wireshark"
dir /b *.pcap > list.txt
%mergecapL%\mergecap.exe -w %cd%\out%var1%.pcap %cd%\01.pcap %cd%\02.pcap
FOR /F "skip=2 delims=" %%A IN (list.txt) DO (
set var2=!var1!
set /a var1+=1
%mergecapL%\mergecap.exe -w %cd%\out!var1!.pcap %cd%\out!var2!.pcap "%cd%\%%A"
del out!var2!.pcap
)
del list.txt
Admin
Updated on July 09, 2022Comments
-
Admin almost 2 years
How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.
-
Admin almost 15 yearsBut don't they all just merge packet data, without caring about sequential numbers and shift of the packets in time, so that one concatenation segment is placed after another in time.
-
Gerald Combs almost 15 yearsIf you use File->Merge or mergecap you have the option of prepending, merging chronologically (interleaving according to timestamps), or appending.
-
Léo Lam about 9 yearsWhy use a commercial, closed-source, limited tool when you have mergecap?
-
Clayton Dukes over 8 yearsNote that mergecap is part of the "wireshark-common" package in debian-based distros