preserve source file info when merging

asked 2020-09-29 23:32:08 +0000

sigtraniac
7 ●1 ●1 ●2

I frequently have to capture a given traffic flow from multiple taps and compare the resultant files.

Staring and comparing multiple wireshark windows is difficult but merging the pcapng files loses the ability to clearly identify which tap captured which packet. I have to be able to quickly distinguish a packet dropped by the network versus one not captured by a tap.

I'd like to set the packet.comment field to that of the original file name before merging. Is that possible with some one-liner or with lua?

Currently I'm using a perl script to bounce between two temp files updating one frame at a time with editcap. Performance isn't great at 4 to 14 frames per second depending on the file.

edit retag flag offensive close merge delete

Comments

Do frame.interface_id or frame.interface_name vary based on tap?
Or would it be okay to modify the interface name?
Trace Wrangler can do that. Unfortunately doesn't add frame comments.

Chuckc ( 2020-09-30 00:25:08 +0000 )edit

interface_name is always -.

I check out Trace Wrangler. Thanks!

sigtraniac ( 2020-09-30 16:41:29 +0000 )edit

add a comment

Comments

Thanks. I recently saw that field but wasn't sure what it was tracking. I carefully re-merged my files and verified the value lines up with the file in the order it appears in the mergecap command.

Thanks!

sigtraniac ( 2020-09-30 16:37:03 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

preserve source file info when merging

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

preserve source file info when merging edit

Comments

1 Answer

Comments

Your Answer

Question Tools

Stats

preserve source file info when merging