Changing Interface Name via Editcap
Hi Experts,
I have numerous capture files which I intend to merge into one pcap using mergecap. Before doing so I want to clearly mark the source pcap files with a field that will allow me to quickly determine their original source file.
One way which I can do it is via a loop as show below, then using the comment field to sort my traffic:
for i in {1..3178}; do editcap -a "$i:SW4" Switch4.pcap Switch4_commented.PCAP; done
This approach however is really slow, especially when dealing with large files. What I was hoping to achieve, was to actually edit the interface id (frame.interface_id) in the file, rather than add a comment (leaving the comment field open for later use).
Can anybody suggest a good way to perform this sort of action? I am sure there is a better approach than what I am doing now.
Thanks
I see your problem - placing a comment on each packet is not really elegant or fast, so the idea of editing the interface ID instead is a much better idea. Right now there are almost no tools that can perform modifications on PCAPng meta structures (e.g. the interface block details). TraceWrangler is the only one I know of at this time, but it doesn't do (yet) what you described, it only sanitizes some of it. How fast do you need this feature? Is it time critical, or just something good to have for future tasks?
Hi Jasper, thanks a lot for your reply here, really appreciate it. As far as how quickly I would like this... so far I have managed to live without it, as has everybody.
My challenge is working with complex call flows, having this functionality really would save a lot of time. Absent of this capability, I guess I have to stick with Layer 2 addresses or comments fields to deduce which capture a frame originate from in merged data.
Sorry, I didn't see you added a comment until now - I'll see what I can do :-)
I got exactly the same problem: two capture files, both with an IDB with a single interface #0. Want to merge these, still knowing which frame came over which interface. But when doing this with mergecap I end up with all frames from interface #0...
I added a feature to edit the interface name via Edit task in a new tab called "PCAPng Meta". Using the "Modify Interface Name" setting all files in the file list will be written with the name specified for their interface names.
Note:
Download here: https://www.tracewrangler.com/downloa...