I merged two capture files, created on two different locations (i.e. the on the internal port of a firewall and another on the destination server on a remote location). How can I identify the original capture location of a frame in the merged file I have open in wireshark?
Dan
The timestamp would help? But to be precise enable MD5 hash calculation in the frame preferences. That would allow you to use Edit|Find packet to search using frame.md5_hash == <MD5>.
Thanks Jaap. May I ask you to be a little bit more specific? I've set "frame.generatemd5hash" to TRUE, and indeed, each frame has now an MD5 hash value. However, that hash value is different as soon any content is different (source, destination, payload, etc..) I checked in one pcap file coming from one location.
I do not see (yet) how I could use that to identify the source pcap file of a given frame in a merged file.
Dan
This doesn't directly identify what file the packet came from. All it does is let you determine, to a high degree of accuracy, whether two packets have the same content. If you have the original files, and the merged file, you'd get the hash of a packet in the merged file and look for a packet in all of the original files that has the same hash value as the packet from the merged file. If there's more than one such packet, then you have a hash collision; compare the two packets in their entirety to see which one matches.
I.e., the hash makes it easier to find matching packets and to determine whether two packets are the same; it does not identify the source of the packet.
Hmm.. is there a way to automate this?
If the original captures were pcapng files, and you merged them into a pcapng file, and the interfaces in the two captures have different names or some other property that lets you determine which capture the interface came from, you could identify the capture a packet came from from its interface.
Otherwise, no information is preserved about about the original capture from which the packet came, so you'd need to fall back on the "see which original capture contains a matching packet" strategy Jaap suggested.
Thanks for the hint.I usually trace on the router with the Router's way to create pcap-like files (thus not pcapng) and on the target or source machine using wireshark. Thus your approach with the interface name seems applicable to my requirement. As soon as I trace non-pcapng, I have obviously an issue.
It looks as I can use color coding (while loosing the other colors, unfortunately). Also, unfortunately the interface_id cannot be shown as a column, which would probably be the best. It is unfortunate I cannot (or can I?) open each trace separately, then tag each single packet with something, save it as pcapng and only then merge. And then have the tags somehow available..(display, sort, filter, etc..)
I have another question which comes out of this.. I will post it.
Got it... there is a way to add the interface ID or name as column. Pretty simple too. I guess that can help me a great deal. Thanks for pointing me to the right direction!
Comments