mergecap - Merges two or more capture files into one
-=head1 SYNOPSYS
+=head1 SYNOPSIS
B<mergecap>
S<[ B<-a> ]>
S<[ B<-T> E<lt>I<encapsulation type>E<gt> ]>
S<[ B<-v> ]>
S<B<-w> E<lt>I<outfile>E<gt>|->
-E<lt>I<infile>E<gt>
-I<...>
+E<lt>I<infile>E<gt> [E<lt>I<infile>E<gt> I<...>]
=head1 DESCRIPTION
B<Mergecap> is a program that combines multiple saved capture files into
a single output file specified by the B<-w> argument. B<Mergecap> knows
how to read B<libpcap> capture files, including those of B<tcpdump>,
-B<Wireshark>, and other tools that write captures in that format.
+B<Wireshark>, and other tools that write captures in that format.
-By default, it writes the capture file in B<libpcap> format, and writes
-all of the packets in both input capture files to the output file.
+By default, B<Mergecap> writes the capture file in B<libpcap> format, and writes
+all of the packets from the input capture files to the output file.
-B<Mergecap> is able to detect, read and write the same capture files that
+B<Mergecap> is able to detect, read and write the same capture files that
are supported by B<Wireshark>.
-The input files don't need a specific filename extension; the file
+The input files don't need a specific filename extension; the file
format and an optional gzip compression will be automatically detected.
Near the beginning of the DESCRIPTION section of wireshark(1) or
L<http://www.wireshark.org/docs/man-pages/wireshark.html>
B<Mergecap> can write the file in several output formats.
The B<-F> flag can be used to specify the format in which to write the
-capture file, B<mergecap -F> provides a list of the available output
+capture file, B<mergecap -F> provides a list of the available output
formats.
Packets from the input files are merged in chronological order based on
each frame's timestamp.
The output file frame encapsulation type is set to the type of the input
-files, if all input files have the same type. If not all of the input
+files if all input files have the same type. If not all of the input
files have the same frame encapsulation type, the output file type is
set to WTAP_ENCAP_PER_PACKET. Note that some capture file formats, most
notably B<libpcap>, do not currently support WTAP_ENCAP_PER_PACKET.
=item -F E<lt>file formatE<gt>
-Sets the file format of the output capture file. B<Mergecap> can write
-the file in several formats, B<mergecap -F> provides a list of the
-available output formats. The default is to use the file format of the
+Sets the file format of the output capture file. B<Mergecap> can write
+the file in several formats; B<mergecap -F> provides a list of the
+available output formats. The default is to use the file format of the
first input file.
=item -h
If the B<-T> flag is used to specify a frame encapsulation type, the
encapsulation type of the output capture file will be forced to the
specified type, rather than being the type appropriate to the
-encapsulation type of the input capture files.
+encapsulation type of the input capture files.
Note that this merely
forces the encapsulation type of the output file to be the specified
=back
+=head1 EXAMPLES
+
+To merge two capture files together, 100 seconds apart use:
+
+ capinfos -aeS a.pcap b.pcap
+
+(Let's suppose a.pcap starts at 1009932757 and b.pcap ends
+at 873660281. 1009932757 - 873660281 - 100 = 136272376
+seconds.)
+
+ editcap -t 136272376 b.pcap b-shifted.pcap
+ mergecap -w compare.pcap a.pcap b-shifted.pcap
+
=head1 SEE ALSO
-tcpdump(8), pcap(3), wireshark(1), editcap(1)
+tcpdump(8), pcap(3), wireshark(1), tshark(1), dumpcap(1), editcap(1),
+text2pcap(1)
=head1 NOTES
git.samba.org / obnox / wireshark / wip.git / blobdiff