1

I have two pcapng files. Each one is a traffic capture that occurred at the same router but on different interfaces.

Since I want to study the behavior of the router's protocols globally I thought on merging these two files into one, so it would be easier to study the different protocols.

I've used the tool mergcap, such as this:

mergecap -w new_file.pcapng file1.pcapng file2.pcapng

According to the manual of mergecap, the files will be merged chronologically, based on the timestamp of each packet within each file1.pcapng and file2.pcapng.

The problem I'm facing now is that after the merge has taken place, packets that I had in file1.pcapng are not found with the same timestamp on new_file.pcapng.

Has anyone done something like this before? I'm using mergecap 2.0.2.

Thanks!

Lucas

Lucas Aimaretto
  • 1,399
  • 1
  • 22
  • 34
  • 1
    If you do `View > Time Display Format > Date and Time of Day` it still persists? – grochmal Jun 21 '16 at 18:05
  • Hi @grochmal! Yes, indeed, after following your suggestion I got the merged packets chronologically aligned ... thanks for the tip! – Lucas Aimaretto Jun 25 '16 at 20:07
  • Cool, it means you collected the packets on the same machine (i was confused since some people say "collected on router" and they actually mean "connected on a machine connected to the router"). I'll add a full explanation in a moment, including the case of merging files on different machines. – grochmal Jun 25 '16 at 20:38

1 Answers1

0

By default wireshark orders the packets chronologically starting from the first captured packet. Since you merged two capture files you have two packets that were the start of the capture but only one of them is the first packet in the file. Aligning packets by time based on the first captured packet does not make sense in case of a merged capture.

To be fair, it could make sense if wireshark ordered all packets in chronological order before picking which packet was captured first. Currently, the first packet in the file is the time reference (see time references) by default.

Thankfully wireshark stores the packet time as a timestamp since EPOCH. This allows to align the packets in a merged file chronologically using the several options in View > Time Display Format.

Captures from different machines

The above has one limitation: Since the timestamps are based on EPOCH, if you capture packets from different machines you need to make sure that the clocks of these machines are aligned.

In the case that your capture files originate from different machines and the clocks on these machines are not aligned, you need to shift the timestamps on one of the captures before merging. That, in turn, can be accomplished with wiresharks Edit > Time Shift.

grochmal
  • 2,901
  • 2
  • 22
  • 28