First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Can Mergecap merge captures in a different directory than where it is located?

I have a folder specifically for my captures, it is a separate directory from that of the Wireshark directory. I am trying to use Mergecap to merge multiple captures in this directory and it is not able to detect the files I am referencing.

When I put my captures in my Wireshark directory, it works perfectly fine, but it is then surrounded by files and folders that are not associated with my caps, and it makes it hard to manage/organize.

Is it possible in some way to make Mergecap read/detect files in a directory that it doesn't exist in?

cweller's avatar
3
cweller
asked 2021-10-14 18:16:38 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

The reason you can't run mergecap from you capture directory is because the Wireshark program is not in your path. Wireshark's installation doesn't add itself to the path. I am assuming you are using Windows. There are two options:

  1. type c:"\program files\wireshark\mergecap", the double quotes is because the space in "program files"
  2. Update the Windows path. Go to the Windows "Advanced System Settings", "Environmental Variables", "User variables, click "path", and then edit. Add the folder that Wireshark folder, e.g. "c:\Program Files\Wireshark\", closed all the windows and then restart. Mergecap can run from any folder.

Merging files from different folders I just tested this with Windows 10. I created c:\temp2, c:\temp3, and c:\temp4 folders. I copied one pcap to c:\temp3 folder and different pcap to c:\temp4 folder. Then from c:\temp2, I merged the two pcaps together. You will need to use the full path name for the file names, e.g. c:\temp3\test.pcap.

BigFatCat's avatar
31
BigFatCat
answered 2021-10-14 20:49:34 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-10-15 08:05:29 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Add the folder that Wireshark folder, e.g. "c:\Program Files\Wireshark\", closed all the windows and then restart. Mergecap can run from any folder.

And so can other command-line Wireshark tools, such as TShark, editcap, capinfos, and so on.

Guy Harris's avatar Guy Harris (2021-10-14 22:26:13 +0000) edit
more
  • delete

Another option if you use PowerShell is to add aliases to the tools, This has a slight advantage in that it doesn't pollute your PATH which can often be filled with rubbish from programs that are installed and then uninstalled and don't clean up properly after them.

The following one-liner will add aliases for all the executables in the Wireshark directory:

> Get-ChildItem 'C:\Program Files\Wireshark\*.exe' | ForEach-Object { New-Alias -Name $_.BaseName -Value $_.FullName -Force }
grahamb's avatar grahamb (2021-10-15 08:14:42 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer