0

I am dealing with a large number of pcap files from numerous collection sources. I need to programmatically filter and I am using tshark for that, so I am merging all the files together first using mergecap. The problem with that is I also need collection point information which is only available in the capture file name. I tried using editpcap to add in per-packet comments specifying original file however that is untenable (see below for explanation). Any ideas how to track the original file after pcap files merged?

why editcap solution won't work I considered using editcap to add per-packet comments on every packet before merging (How to add a comment to all packets in numerous pcap files before merging into a single file) however the problem with this approach is that editcap requires every packet comment to be individually specified on the command line (you can't specify a range of packets). Thats hundreds of thousands of comments and the command line won't support that. Additionally, if I try to run editpcap with just a few comments at a time over and over it rewrites the entire file every time, leading to thousands of file rewrites. Also not viable.

Greysquall
  • 48
  • 3

1 Answers1

2

If your original capture files are in .pcapng format, then each one contains an Interface Description Block or IDB. When you run mergecap to merge them, you can specify that IDB's not be merged using the -I none option. In this way, the interface number will be unique per original file and you can add a column that shows that information to easily differentiate the source of each packet by interface ID, or you can apply a display filter to isolate only those packets from a particular capture file.

The filter or column to use would be the frame.interface_id field, but you could also filter by frame.interface_name or frame.interface_description if those field values all have different values too, but there's no guarantee those fields will be unique as the interface name and/or description might contain the same information, even if the capture files originate from different machines.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23
  • unfortunately, the capture files are pcap not pcapng and as you said I can't rely on the IDB being unique due to 'business logic'. However, this does make me wonder if post-collection I could iterate through all pcap files, add an IDB description and save as a new pcapng, and then merge all pcapng's together. Can IDB descriptions be added after collection similiar to IDB comments? And can it be done programatically? – Greysquall Jul 01 '20 at 16:28
  • Currently when you convert pcap files to pcapng using `editcap`, a dummy Ethernet IDB is added. ('Editcap` is a command-line tool, so conversion can be scripted.) Unfortunately, all pcapng files created this way won't contain an interface_description and only "unknown" as the interface_name; however, `mergecap` will enumerate all interfaces and so each packet will at least indicate the enumerated interface ID from which it came in the interface_id field, so you should be able to use this information to know which packet came from which original file and capture point. – Christopher Maynard Jul 04 '20 at 19:38