This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Reassembling/Merge failure

0

Hi,

I received a capture from a client for analyze. Unfortunately if i can open the individual splitted files in Wireshark (tried with 1.10.6 x64 & x32), I cannot merge the files. I tried to do it from Wireshark itself and using mergecap but each time I receive the same error :

D:\tmp\capture\data>ls
shark10380_00001_20140320094921  shark10380_00002_20140320095016

D:\tmp\capture\data>mergecap -v -w ..\merged.pcapng shark*.* mergecap: shark10380_00001_20140320094921 is type Wireshark/… - pcapng. mergecap: shark10380_00002_20140320095016 is type Wireshark/… - pcapng. mergecap: selected frame_type Ethernet (ether) Record: 1 mergecap: Error writing to outfile: Error -23

Of course I have space left on the disk and the directories are writable. I have no idea on what the problem is. I did exactly the same for another analysis received also yesterday from the same client that I could merge successfully.

Thanks if someone can help.

asked 21 Mar ‘14, 00:47

McFoggy's gravatar image

McFoggy
6112
accept rate: 0%


One Answer:

1

Can you check if there are more than one interface captured in the files? Mergecap does not work with those kind of files, it can only merge files captured on a single interface at this time. It is a known bug.

Easiest way to check is to open the Summary in the Statistics menu.

answered 21 Mar '14, 05:02

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

You got it right, there are 4 interfaces on this capture while the one that worked previously had only one interface captured. Thanks a lot.

(21 Mar '14, 05:22) McFoggy

We should add a error code string for that, as "-23" isn't too helpful. ;)

(21 Mar '14, 07:09) Hadriel

Actually forget that - it would be almost as much work as just fixing it to handle multiple interfaces. (it's bug 8795, BTW)

(21 Mar '14, 07:17) Hadriel