Mergecap

Previous page
Table of content
Next page

  < Day Day Up > 


Mergecap is used to combine multiple saved capture files into a single output file. Mergecap can read all of the same types of files that Ethereal can, and by default writes to libpcap format. Mergecap can also write the output capture file to standard and modified versions of libpcap, Sun snoop, Novel LANalyzer, NAI Sniffer, Microsoft Network Monitor, Visual Network traffic capture, Accellent 5Views capture, and Network Instruments Observer version 9 captures. Mergecap can determine the file type that it is reading, and is also capable of reading files that are compressed with gzip. By default, the packets from the input files are merged in chronological order based on each packet’s timestamp. If the –a option is specified, packets will be copied directly from each input file to the output file regardless of timestamp.

The following information is the usage output for the mergecap program:

C:\Program Files\Ethereal>mergecap -h mergecap version 0.10.0 Usage: mergecap [-hva] [-s <snaplen>] [-T <encap type>]           [-F <capture type>] -w <outfile> <infile> [...]   where -h produces this help listing.         -v verbose operation, default is silent         -a files should be concatenated, not merged              Default merges based on frame timestamps         -s <snaplen>: truncate packets to <snaplen> bytes of data         -w <outfile>: sets output filename to <outfile>         -T <encap type> encapsulation type to use:              ether - Ethernet              tr - Token Ring              slip - SLIP              ppp - PPP              fddi - FDDI              fddi-swapped - FDDI with bit-swapped MAC addresses              rawip - Raw IP              arcnet - ARCNET              arcnet_linux - Linux ARCNET              atm-rfc1483 - RFC 1483 ATM              linux-atm-clip - Linux ATM CLIP              lapb - LAPB              atm-pdus - ATM PDUs              atm-pdus-untruncated - ATM PDUs - untruncated              null - NULL              ascend - Lucent/Ascend access equipment              isdn - ISDN              ip-over-fc - RFC 2625 IP-over-Fibre Channel              ppp-with-direction - PPP with Directional Info              ieee-802-11 - IEEE 802.11 Wireless LAN              ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio _          information              linux-sll - Linux cooked-mode capture              frelay - Frame Relay              frelay-with-direction - Frame Relay with Directional Info              chdlc - Cisco HDLC              ios - Cisco IOS internal              ltalk - Localtalk              prism - IEEE 802.11 plus Prism II monitor mode header              pflog-old - OpenBSD PF Firewall logs, pre-3.4              hhdlc - HiPath HDLC              docsis - Data Over Cable Service Interface Specification              cosine - CoSine L2 debug log              wlan - IEEE 802.11 plus AVS WLAN monitor header              whdlc - Wellfleet HDLC              sdlc - SDLC              tzsp - Tazmen sniffer protocol              enc - OpenBSD enc(4) encapsulating interface              pflog - OpenBSD PF Firewall logs              chdlc-with-direction - Cisco HDLC with Directional Info              bluetooth-h4 - Bluetooth H4              mtp2 - SS7 MTP2              mtp3 - SS7 MTP3              default is the same as the first input file         -F <capture type> capture file type to write:              libpcap - libpcap (tcpdump, Ethereal, etc.)              rh6_1libpcap - RedHat Linux 6.1 libpcap (tcpdump)              suse6_3libpcap - SuSE Linux 6.3 libpcap (tcpdump)              modlibpcap - modified libpcap (tcpdump)              nokialibpcap - Nokia libpcap (tcpdump)              lanalyzer - Novell LANalyzer              ngsniffer - Network Associates Sniffer (DOS-based)              snoop - Sun snoop              netmon1 - Microsoft Network Monitor 1.x              netmon2 - Microsoft Network Monitor 2.x              ngwsniffer_1_1 - Network Associates Sniffer (Windows-based)   1.1              ngwsniffer_2_0 - Network Associates Sniffer (Windows-based)   2.00x              visual - Visual Networks traffic capture              5views - Accellent 5Views capture              niobserverv9 - Network Instruments Observer version 9              default is libpcap

The following command line options are used to control Editcap’s data translation and output:

  • –a This option will ignore the timestamps in the input capture files and merge the capture files one after the other. When this option is omitted the packets in the input files are merged in chronological order based on the packet timestamps.

  • –F type This option is used to set the format of the output capture file. For example, if you want to merge capture files and save them in the Sun snoop format so that snoop can read the output file, you would use the –F snoop option.

  • –h This option prints the help options of mergecap, then exits.

  • –s snaplen This option will set the snapshot length to use when writing the data to the output capture file. Packets that are larger than the snaplen will be truncated. This option is helpful if you only want to save the packet headers, or if the program you will be importing the capture file into can only read packets of a certain size.

  • –T type This option sets the packet encapsulation type of the output capture file. The default type is the same encapsulation type as the input files, if they are all the same. If the input files do not all have the same encapsulation type, the encapsulation type of the output file will be set to WTAP_ENCAP_PER_PACKET. However, libpcap and other capture formats do not support this type of encapsulation. The –T option forces the encapsulation type of the output capture file to be a specified type, however the packet headers will remain the same encapsulation type as the input capture file.

  • –v This option will cause mergecap to print various messages to the screen while it is processing files.

  • –w file This option writes the packets to the file name specified following the option. This option is required for mergecap to merge files.

The following is an example of using mergecap to merge the first 35 bytes of each of the four capture files (capture1, capture2, capture3, and capture4) into a single Sun snoop output file called merge_snoop in chronological order by packet timestamp, it will keep reading packets until the end of the last file is reached:

C:\Program Files\Ethereal>mergecap -s 35 -v -F snoop -w merge_snoop capture1 capture2 capture3 capture4 mergecap: capture1 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture2 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture3 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture4 is type libpcap (tcpdump, Ethereal, etc.). mergecap: opened 4 of 4 input files mergecap: selected frame_type Ethernet (ether) Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed

The following is an example of using mergecap to merge four capture files (capture1, capture2, capture3, and capture4) into a single output file called merge_file regardless of packet timestamp, it will write all of the packets of capture1, followed by capture 2, and so on:

C:\Program Files\Ethereal>mergecap -v -a -w merge_file capture1 capture2 capture3 capture4 mergecap: capture1 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture2 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture3 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture4 is type libpcap (tcpdump, Ethereal, etc.). mergecap: opened 4 of 4 input files mergecap: selected frame_type Ethernet (ether) Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed

The following is an example of an attempt to use mergecap to merge three capture files with different encapsulation types (capture1, capture2, and capture3) into a single output file called merge_encap The merge will attempt to set the default encapsulation type and then report an error because libpcap does not understand that type of encapsulation:

C:\Program Files\Ethereal>mergecap -v -w merge_encap capture1 capture2 capture3 mergecap: capture1 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture2 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture3 is type libpcap (tcpdump, Ethereal, etc.). mergecap: opened 3 of 3 input files mergecap: multiple frame encapsulation types detected           defaulting to WTAP_ENCAP_PER_PACKET           capture1 had type (null) ((null))           capture2 had type Ethernet (ether) mergecap: selected frame_type (null) ((null)) mergecap: Can't open/create merge_encap:           That file format doesn't support per-packet encapsulations

The following is an example of an attempt to use mergecap to merge three capture files with different encapsulation types (capture1, capture2, and capture3) into a single output file called merge_encap, the –T option is used to force an Ethernet encapsulation type for the output file:

C:\Program Files\Ethereal>mergecap -v -T ether -w merge_encap capture1 capture2 capture3 mergecap: capture1 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture2 is type libpcap (tcpdump, Ethereal, etc.). mergecap: capture3 is type libpcap (tcpdump, Ethereal, etc.). mergecap: opened 3 of 3 input files Record: 1 Record: 2 Record: 3 Record: 4 Record: 5 Record: 6 Record: 7 Record: 8 Record: 9 Record: 10 output removed


 < Day Day Up > 


Previous page
Table of content
Next page
Ethereal Packet Sniffing
Ethereal Packet Sniffing (Syngress)
ISBN: 1932266828
EAN: 2147483647
Year: 2004
Pages: 105
Authors: Syngress
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Documenting Software Architectures: Views and Beyond
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Data Structures and Algorithms in Java
Competency-Based Human Resource Management
What is Lean Six Sigma
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy