Reputation: 520
merged pcap file from mergecap command
I have created a merge script to merge all pcap files in a folder to a single file. Merge function works. But is there any way to test if the contents of the merged file and the input files are same? Because the application which I have to read through the file says, merged file is corrupt some how.
Upvotes: 2
Views: 2147
Answers (2)
Reputation: 1086
This happens sometimes with mergecap and tcpslice. They don't work well if the input pcap files aren't perfect.
This can be solved using joincap.
go get -u github.com/assafmo/joincap
To merge 1.pcap and 2.pcap:
joincap 1.pcap 2.pcap > merged.pcap
I wrote joincap to overcome what I believe is bad error handling by mergecap and tcpslice.
For more details go to https://github.com/assafmo/joincap.
Upvotes: 0
Reputation: 123320
Try to load the merged file with wireshark or tcpdump which should tell you if it is corrupt. But maybe the file is not corrupt, but in a format your application does not understand. Try to merge with output format 'pcap', e.g. mergecap -F pcap, because some application do not work with pcapng (used by wireshark).
Upvotes: 1
Related Questions
- Merging/appending multiple pcap files to an existing one without overwriting
- creating a pcap file using python
- How can I merge two files in Pentaho Data Integration (Kettle)
- How to concatenate two tcpdump files (pcap files)
- Merging two pcap files with libpcap
- Pcap capture merge problem
- merge pcap files in wirehshark
- Python | Merging multiple pcap/pcapng files using Pyshark
- How to read and write concurrently a pcap file in c
- Invalid tcpdump header due to pcap generated using mergecap when parsed using dpkt