preserve source file info when merging
I frequently have to capture a given traffic flow from multiple taps and compare the resultant files.
Staring and comparing multiple wireshark windows is difficult but merging the pcapng files loses the ability to clearly identify which tap captured which packet. I have to be able to quickly distinguish a packet dropped by the network versus one not captured by a tap.
I'd like to set the packet.comment field to that of the original file name before merging. Is that possible with some one-liner or with lua?
Currently I'm using a perl script to bounce between two temp files updating one frame at a time with editcap. Performance isn't great at 4 to 14 frames per second depending on the file.
Do
frame.interface_id
orframe.interface_name
vary based on tap?Or would it be okay to modify the interface name?
Trace Wrangler can do that. Unfortunately doesn't add frame comments.
interface_name is always -.
I check out Trace Wrangler. Thanks!