Changing Interface Name via Editcap

asked 2018-03-16 16:16:56 +0000

anonymous user

Anonymous

Hi Experts,

I have numerous capture files which I intend to merge into one pcap using mergecap. Before doing so I want to clearly mark the source pcap files with a field that will allow me to quickly determine their original source file.

One way which I can do it is via a loop as show below, then using the comment field to sort my traffic:

for i in {1..3178}; do editcap -a "$i:SW4" Switch4.pcap Switch4_commented.PCAP; done

This approach however is really slow, especially when dealing with large files. What I was hoping to achieve, was to actually edit the interface id (frame.interface_id) in the file, rather than add a comment (leaving the comment field open for later use).

Can anybody suggest a good way to perform this sort of action? I am sure there is a better approach than what I am doing now.

Thanks

edit retag flag offensive close merge delete

Comments

I see your problem - placing a comment on each packet is not really elegant or fast, so the idea of editing the interface ID instead is a much better idea. Right now there are almost no tools that can perform modifications on PCAPng meta structures (e.g. the interface block details). TraceWrangler is the only one I know of at this time, but it doesn't do (yet) what you described, it only sanitizes some of it. How fast do you need this feature? Is it time critical, or just something good to have for future tasks?

Jasper gravatar imageJasper ( 2018-03-18 10:56:56 +0000 )edit

Hi Jasper, thanks a lot for your reply here, really appreciate it. As far as how quickly I would like this... so far I have managed to live without it, as has everybody.

My challenge is working with complex call flows, having this functionality really would save a lot of time. Absent of this capability, I guess I have to stick with Layer 2 addresses or comments fields to deduce which capture a frame originate from in merged data.

krypton179 gravatar imagekrypton179 ( 2018-03-26 12:47:26 +0000 )edit

Sorry, I didn't see you added a comment until now - I'll see what I can do :-)

Jasper gravatar imageJasper ( 2018-04-12 13:10:03 +0000 )edit

I got exactly the same problem: two capture files, both with an IDB with a single interface #0. Want to merge these, still knowing which frame came over which interface. But when doing this with mergecap I end up with all frames from interface #0...

woli gravatar imagewoli ( 2018-04-17 14:07:24 +0000 )edit