Is there a tool or best practices for intelligent merging?

asked 2018-02-25 13:06:12 +0000

Dan gravatar image

There are commandline tools for merging pcap files (editcap, mergecap, etc.). You can also merge directly in Wireshark. But there are issues. It also seems to me that most tutorials and man pages assume that the pcap's to be merged were taken on the same machine. But what if one wants to merge pcap files from different sources, many things need to be considered. (I am sure that experienced network engineers would roll their eyes on my ways of doing things. In that case, please teach me :-) )

Thus my question: Is there a tool around that helps me prepare a combined/merged pcap that has common issues already taken care of?

Common issues:

1 - Time is different on each location I take a trace. Yes, editcap can take care of that (before I merge). I could also first make sure that the time is synchronized before I take a trace. But all of this is tedious.

2 - At what location was the frame actualy taken? There are several methods. I could use the Interface name if the trace was made with wireshark and I saved as pcapng. I could then display a custom column with that value. This has some use, but is limited.

It would be great if editcap -a -<framenum>:<comment*> would allow using a range or all for *framenum. That way I could add a comment that would indicate the location I took a trace (i.e. editcap -a all:LANport3). I can add the comment field as a column. Yeah..

3 - Indicate/mark the same frame along a route, visible in several pcaps. For example, I would take a trace on a phone (yealink), the LAN port of a router (zyxel USG), it's WAN port and on the server (tcpdump) having asterisk installed. Packets go missing and I have no clue. With these four traces intelligently merged into one, I might be able to find the reason for disapearing packets. I have to admit, sometimes I even trace on WAN and LAN port just to identify weird NAT or Firewall rules (roll your eyes, guys). Anyway, I have recently learned that there are ways to identify identical frames by comparing MD5 hashes. But also this is tedious. And if ALG might play a role (see SIP ALG and such), I doubt that the MD5 hash will help. In any case it's things that might be automated by this unknown tool?

I am sure that there are other things such a tool could do to help less experienced people like me to understand better what's going on.

Now, is there such a tool, somewhere? Or is this all wishful thinking? Or do I have a totally weird way of doing things and there are easier ways to get what I need?

Thanks

Dan

edit retag flag offensive close merge delete