How to concatenate two tcpdump files (pcap files)

Question

How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.

score 34 · Answer 1 · answered Jan 18 '12 at 09:30

34

mergecap can resolve your issue, but you must use it with '-a' option, otherwise it reorders packets temporally. Then: mergecap -a file_1.pcap file_1.pcap file_1.cap -w output_file.pcap

answered Jan 18 '12 at 09:30

Gianluca Costa

476
4
6

2

Note that mergecap is part of the "wireshark-common" package in debian-based distros – Clayton Dukes Sep 03 '15 at 02:34

score 7 · Answer 2 · answered May 26 '09 at 21:42

7

As the other answers say, you can use File->Merge in Wireshark, tcpslice, or mergecap. You can also drag a file into Wireshark's main window. If Wireshark/tcpdump/snort/Ntop/etc supported pcap-ng, you'd be able to simply concatenate your capture files.

answered May 26 '09 at 21:42

Gerald Combs

1,374
10
12

But don't they all just merge packet data, without caring about sequential numbers and shift of the packets in time, so that one concatenation segment is placed after another in time. – May 26 '09 at 21:51
1

If you use File->Merge or mergecap you have the option of prepending, merging chronologically (interleaving according to timestamps), or appending. – Gerald Combs May 27 '09 at 18:55

score 2 · Answer 3 · answered May 26 '09 at 21:32

2

Wireshark has the File -> Merge command which should do this.

I also remember mergecap being a tool to do so, but I haven't used it in a while.

answered May 26 '09 at 21:32

viksit

7,542
9
42
54

score 1 · Answer 4 · answered Aug 29 '16 at 07:44

to join multiple pcap, use this batch script

all pcap files must be in the same folder that batch script located and also first pcap file must be named 01.pcap and second must be 02.pcap when you dir the directory, there is no other limitation.

@echo off
@setlocal enableextensions enabledelayedexpansion

set /a var1=1
set mergecapL="C:\Program Files\Wireshark"

dir /b *.pcap > list.txt
%mergecapL%\mergecap.exe -w %cd%\out%var1%.pcap %cd%\01.pcap %cd%\02.pcap
FOR /F "skip=2 delims=" %%A IN (list.txt) DO (
    set var2=!var1!
    set /a var1+=1
    %mergecapL%\mergecap.exe -w %cd%\out!var1!.pcap %cd%\out!var2!.pcap "%cd%\%%A"
    del out!var2!.pcap
)
del list.txt

score 1 · Answer 5 · answered Dec 06 '10 at 02:55

1

Use mergecap from Wireshark:

mergecap ... -w output.cap

answered Dec 06 '10 at 02:55

Dan

11
1

score -4 · Answer 6 · edited Nov 08 '11 at 21:27

-4

Try pcapjoiner (commercial, with demo limited to 1000 packets).

edited Nov 08 '11 at 21:27

Nickolay

31,095
13
107
185

answered Nov 08 '11 at 18:44

michael

1
1

2

Why use a commercial, closed-source, limited tool when you have mergecap? – Léo Lam Mar 29 '15 at 12:16

How to concatenate two tcpdump files (pcap files)

6 Answers6