Friday 25 May 2012

How to merger two Wirehsark capture files or pcap files ?

I wanted to combine two wirehsark captures into one and see  the packets.

I searched for how to combine or merge two pcap files and this is how i did using mergecap. It allows you to combine two capture files and create a third one.


C:\Program Files\Wireshark>mergecap.exe -h
Mergecap 1.4.3 (SVN Rev 35482 from /trunk-1.4)
Merge two or more capture files into one.
See http://www.wireshark.org/ for more information.
Usage: mergecap [options] -w <outfile>|- <infile> ...
Output:
  -a                concatenate rather than merge files.
                    default is to merge based on frame timestamps.
  -s <snaplen>      truncate packets to <snaplen> bytes of data.
  -w <outfile>|-    set the output filename to <outfile> or '-' for stdout.
  -F <capture type> set the output file type; default is libpcap.
                    an empty "-F" option will list the file types.
  -T <encap type>   set the output file encapsulation type;
                    default is the same as the first input file.
                    an empty "-T" option will list the encapsulation types.
Miscellaneous:
  -h                display this help and exit.
  -v                verbose output.
Run Command :

C:\Program Files\Wireshark>mergecap.exe capture1.pcap cap2.pcap -w output.pcap


Now the output.pcap will have the contents merged of input files, capture1.pcap and cap2.pcap.