Ask Your Question
0

Can Mergecap merge captures in a different directory than where it is located?

asked 2021-10-14 18:16:38 +0000

cweller gravatar image

I have a folder specifically for my captures, it is a separate directory from that of the Wireshark directory. I am trying to use Mergecap to merge multiple captures in this directory and it is not able to detect the files I am referencing.

When I put my captures in my Wireshark directory, it works perfectly fine, but it is then surrounded by files and folders that are not associated with my caps, and it makes it hard to manage/organize.

Is it possible in some way to make Mergecap read/detect files in a directory that it doesn't exist in?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-10-14 20:49:34 +0000

BigFatCat gravatar image

updated 2021-10-15 08:05:29 +0000

grahamb gravatar image

The reason you can't run mergecap from you capture directory is because the Wireshark program is not in your path. Wireshark's installation doesn't add itself to the path. I am assuming you are using Windows. There are two options:

  1. type c:"\program files\wireshark\mergecap", the double quotes is because the space in "program files"
  2. Update the Windows path. Go to the Windows "Advanced System Settings", "Environmental Variables", "User variables, click "path", and then edit. Add the folder that Wireshark folder, e.g. "c:\Program Files\Wireshark\", closed all the windows and then restart. Mergecap can run from any folder.

Merging files from different folders I just tested this with Windows 10. I created c:\temp2, c:\temp3, and c:\temp4 folders. I copied one pcap to c:\temp3 folder and different pcap to c:\temp4 folder. Then from c:\temp2, I merged the two pcaps together. You will need to use the full path name for the file names, e.g. c:\temp3\test.pcap.

edit flag offensive delete link more

Comments

Add the folder that Wireshark folder, e.g. "c:\Program Files\Wireshark\", closed all the windows and then restart. Mergecap can run from any folder.

And so can other command-line Wireshark tools, such as TShark, editcap, capinfos, and so on.

Guy Harris gravatar imageGuy Harris ( 2021-10-14 22:26:13 +0000 )edit

Another option if you use PowerShell is to add aliases to the tools, This has a slight advantage in that it doesn't pollute your PATH which can often be filled with rubbish from programs that are installed and then uninstalled and don't clean up properly after them.

The following one-liner will add aliases for all the executables in the Wireshark directory:

> Get-ChildItem 'C:\Program Files\Wireshark\*.exe' | ForEach-Object { New-Alias -Name $_.BaseName -Value $_.FullName -Force }
grahamb gravatar imagegrahamb ( 2021-10-15 08:14:42 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2021-10-14 18:16:38 +0000

Seen: 531 times

Last updated: Oct 15 '21

Related questions

Is there a tool or best practices for intelligent merging?

Changing Interface Name via Editcap

mergecap with latest Windows 10 update

Need to upgrade wireshark version on redhat

mergecap and dlt_user

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2