First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

preserve source file info when merging

  • retag add tags

I frequently have to capture a given traffic flow from multiple taps and compare the resultant files.

Staring and comparing multiple wireshark windows is difficult but merging the pcapng files loses the ability to clearly identify which tap captured which packet. I have to be able to quickly distinguish a packet dropped by the network versus one not captured by a tap.

I'd like to set the packet.comment field to that of the original file name before merging. Is that possible with some one-liner or with lua?

Currently I'm using a perl script to bounce between two temp files updating one frame at a time with editcap. Performance isn't great at 4 to 14 frames per second depending on the file.

sigtraniac's avatar
7
sigtraniac
asked 2020-09-29 23:32:08 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do frame.interface_id or frame.interface_name vary based on tap?
Or would it be okay to modify the interface name?
Trace Wrangler can do that. Unfortunately doesn't add frame comments.

Chuckc's avatar Chuckc (2020-09-30 00:25:08 +0000) edit
more
  • delete

interface_name is always -.

I check out Trace Wrangler. Thanks!

sigtraniac's avatar sigtraniac (2020-09-30 16:41:29 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

After merging .pcapng files into another .pcapng file, you ought to be able to determine the file from which the packets originated using the frame.interface_id field, which you can see if you expand the Frame details in the Packet Details Pane and which you can apply as a column. That would, I think, negate the need to set the frame.comment field.

See also these related questions and associated answers:

cmaynard's avatar
11.1k
cmaynard
answered 2020-09-30 00:36:35 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks. I recently saw that field but wasn't sure what it was tracking. I carefully re-merged my files and verified the value lines up with the file in the order it appears in the mergecap command.

Thanks!

sigtraniac's avatar sigtraniac (2020-09-30 16:37:03 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer