Ask Your Question
0

Changing Interface Name via Editcap

asked 2018-03-16 16:16:56 +0000

anonymous user

Anonymous

Hi Experts,

I have numerous capture files which I intend to merge into one pcap using mergecap. Before doing so I want to clearly mark the source pcap files with a field that will allow me to quickly determine their original source file.

One way which I can do it is via a loop as show below, then using the comment field to sort my traffic:

for i in {1..3178}; do editcap -a "$i:SW4" Switch4.pcap Switch4_commented.PCAP; done

This approach however is really slow, especially when dealing with large files. What I was hoping to achieve, was to actually edit the interface id (frame.interface_id) in the file, rather than add a comment (leaving the comment field open for later use).

Can anybody suggest a good way to perform this sort of action? I am sure there is a better approach than what I am doing now.

Thanks

edit retag flag offensive close merge delete

Comments

I see your problem - placing a comment on each packet is not really elegant or fast, so the idea of editing the interface ID instead is a much better idea. Right now there are almost no tools that can perform modifications on PCAPng meta structures (e.g. the interface block details). TraceWrangler is the only one I know of at this time, but it doesn't do (yet) what you described, it only sanitizes some of it. How fast do you need this feature? Is it time critical, or just something good to have for future tasks?

Jasper gravatar imageJasper ( 2018-03-18 10:56:56 +0000 )edit

Hi Jasper, thanks a lot for your reply here, really appreciate it. As far as how quickly I would like this... so far I have managed to live without it, as has everybody.

My challenge is working with complex call flows, having this functionality really would save a lot of time. Absent of this capability, I guess I have to stick with Layer 2 addresses or comments fields to deduce which capture a frame originate from in merged data.

krypton179 gravatar imagekrypton179 ( 2018-03-26 12:47:26 +0000 )edit

Sorry, I didn't see you added a comment until now - I'll see what I can do :-)

Jasper gravatar imageJasper ( 2018-04-12 13:10:03 +0000 )edit

I got exactly the same problem: two capture files, both with an IDB with a single interface #0. Want to merge these, still knowing which frame came over which interface. But when doing this with mergecap I end up with all frames from interface #0...

woli gravatar imagewoli ( 2018-04-17 14:07:24 +0000 )edit

I added a feature to edit the interface name via Edit task in a new tab called "PCAPng Meta". Using the "Modify Interface Name" setting all files in the file list will be written with the name specified for their interface names.

Note:

  • this doesn't care about how many interfaces there are in each file, so all interface names will be replaced.
  • TraceWrangler runs on Windows only, but it should run on WINE

Download here: https://www.tracewrangler.com/downloa...

Jasper gravatar imageJasper ( 2018-04-23 17:15:42 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-06-12 21:29:01 +0000

melds gravatar image

I needed to do this as well. The format needs to be in pcapng format first and then use the "none" interface option in mergecap and you'll get different interface numbers.

I did:

path %PATH%;%programfiles%\wireshark
editcap host.pcap host.pcapng
editcap guest.pcap guest.pcapng
mergecap -I none -w merged.pcapng host.pcapng guest.pcapng

In merged.pcapng, "host.pcapng" is identified as interface 0 and "guest.pcapng" is interface 1.

It's helpful to add a custom column "Int" with the field "frame.interface_id" to see it easily.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-16 16:16:56 +0000

Seen: 961 times

Last updated: Jun 12