I'm trying to merge numerous pcap files together for post-processing after capture, however, I need to retain information about the source file of each packet (the file name contains information about the network tap source). This information isn't available anywhere in the packets themselves. My idea is to use the convenience of pcapng which allows adding a frame comment (frame.comment) to a packet and which can be done programmatically using editcap. I could use this to add information from the file name to each packet that would be carried forward into the merged file. However it seems that editcap only allows you to add comments to specific frames editcap -a <framenumber>:<comment> but not a range of frames. Doing this manually isn't a viable option as I am dealing with a lot of large pcap files. Ideas?
Asked
Active
Viewed 764 times
0
Greysquall
- 48
- 3
1 Answers
2
This will save the filename as a comment to every packet in every pcap, recursively. If you only need to do this to one file, remove the outer for loop.
for f in $(find *.pcap); do
num_frames=$(capinfos -rcT "$f" | awk '{ print $NF }')
for i in $(seq 1 $num_frames); do
editcap "$f" "$f" -a "$i:$f"
done
done
find *.pcapwill recursively find all pcap-type files in this directorycapinfosis a wireshark CLI tool like wireshark that provides info on captures
Note that you could dynamically include some other comment instead, like timestamp.
Ross Jacobs
- 2,962
- 1
- 17
- 27
-
awesome. I will try that out. Thank you so much. I wasn't aware that you could resave to the same filename with editcap so I learned something else as well. I will also look into capinfos to see what else I can pull out. Thanks again. – Greysquall Jun 20 '20 at 17:51
-
You may want to check out tshark.dev if you're learning how to use tools in this space. – Ross Jacobs Jun 20 '20 at 18:00