Ask Your Question
0

preserve source file info when merging

asked 2020-09-29 23:32:08 +0000

sigtraniac gravatar image

I frequently have to capture a given traffic flow from multiple taps and compare the resultant files.

Staring and comparing multiple wireshark windows is difficult but merging the pcapng files loses the ability to clearly identify which tap captured which packet. I have to be able to quickly distinguish a packet dropped by the network versus one not captured by a tap.

I'd like to set the packet.comment field to that of the original file name before merging. Is that possible with some one-liner or with lua?

Currently I'm using a perl script to bounce between two temp files updating one frame at a time with editcap. Performance isn't great at 4 to 14 frames per second depending on the file.

edit retag flag offensive close merge delete

Comments

Do frame.interface_id or frame.interface_name vary based on tap?
Or would it be okay to modify the interface name?
Trace Wrangler can do that. Unfortunately doesn't add frame comments.

Chuckc gravatar imageChuckc ( 2020-09-30 00:25:08 +0000 )edit

interface_name is always -.

I check out Trace Wrangler. Thanks!

sigtraniac gravatar imagesigtraniac ( 2020-09-30 16:41:29 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-09-30 00:36:35 +0000

cmaynard gravatar image

After merging .pcapng files into another .pcapng file, you ought to be able to determine the file from which the packets originated using the frame.interface_id field, which you can see if you expand the Frame details in the Packet Details Pane and which you can apply as a column. That would, I think, negate the need to set the frame.comment field.

See also these related questions and associated answers:

edit flag offensive delete link more

Comments

Thanks. I recently saw that field but wasn't sure what it was tracking. I carefully re-merged my files and verified the value lines up with the file in the order it appears in the mergecap command.

Thanks!

sigtraniac gravatar imagesigtraniac ( 2020-09-30 16:37:03 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-09-29 23:32:08 +0000

Seen: 260 times

Last updated: Sep 30 '20