Introduction
Mergecap is one of the optional tools included with the Wireshark program when it is installed . It is a command line tool used to merge packet files .
mergecap [ -a ] [ -F <file format> ] [ -I <IDB merge mode> ] [ -s <snaplen> ] [ -V ] -w <outfile>|- <infile> [<infile> …]
mergecap -h|--help
mergecap -v|--versiondescribe
Mergecap is a program that can merge multiple saved capture files into a single output file specified by the -w parameter. Mergecap knows how to read pcap and pcapng capture files, including tcpdump, wireshark, and other tools that write captures in these formats.
By default, Mergecap writes capture files in pcapng format and writes all packets from the input capture file to the output file.
Mergecap is able to detect, read and write the same capture files supported by Wireshark. No specific filename extension is required for the input files; the file format and optional gzip, zstd or lz4 compression will be detected automatically.
Mergecap can write files in several output formats. The -F flag can be used to specify the format in which the capture file is written. mergecap -F provides a list of available output formats.
Options
λ mergecap -h
Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.
Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
an empty "-I" option will list the merge modes.
Miscellaneous:
-h, --help display this help and exit.
-V verbose output.
-v, --version print version information and exit.Examples
The following examples explain the functions of each option. The main information of the test trace file is as follows. The test.pcapng file contains 3 packets, which are TCP three-way handshake packets, split into two packet files, No.1 SYN and No.3 ACK are test01.pcpang, and No.2 SYN/ACK is test02.pcapng.
λ capinfos test.pcapng
File name: test.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 3
File size: 600 bytes
Data size: 186 bytes
Capture duration: 0.001654 seconds
First packet time: 2021-07-19 13:17:07.172339
Last packet time: 2021-07-19 13:17:07.173993
Data byte rate: 112 kBps
Data bit rate: 899 kbps
Average packet size: 62.00 bytes
Average packet rate: 1813 packets/s
SHA256: 5f618074fa1fbc83fbb113b42ae6fa3e0b7fdb86441b930d0d71842e96b4b521
RIPEMD160: 922b130ccc3bda159bfa399b494da089ef2e50fe
SHA1: c0d507e9ff122135a3e20e3920649bce636c8726
Strict time order: True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 3
λ capinfos test0*.pcapng
File name: test01.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 2
File size: 488 bytes
Data size: 120 bytes
Capture duration: 0.001654 seconds
First packet time: 2021-07-19 13:17:07.172339
Last packet time: 2021-07-19 13:17:07.173993
Data byte rate: 72 kBps
Data bit rate: 580 kbps
Average packet size: 60.00 bytes
Average packet rate: 1209 packets/s
SHA256: 7f73fa4cee113507fb13bfea6c3d588d16ce62455dba84967b6c7e9ff5f119f9
RIPEMD160: 99c63e7b258156ca52332607170060514a05374c
SHA1: 0e73dc6d560a1ed7a94ba3639d04e268ed58e8a9
Strict time order: True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 2
File name: test02.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 1
File size: 388 bytes
Data size: 66 bytes
Capture duration: 0.000000 seconds
First packet time: 2021-07-19 13:17:07.173872
Last packet time: 2021-07-19 13:17:07.173872
Data byte rate: 0 bytes/s
Data bit rate: 0 bits/s
Average packet size: 66.00 bytes
Average packet rate: 0 packets/s
SHA256: 6c52de6c914bfcefab0f06773fffa2e3a6d6e29be580cf857a7af03cfac12a64
RIPEMD160: 0d1daa946a757cd6f57a3a97c87753f93a88bbf3
SHA1: 623955ea30d52e85dce3e92b963c1440a11b7ed6
Strict time order: True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 1
λ tshark -r test.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
3 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
λ tshark -r test01.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
λ tshark -r test02.pcapng
1 0.000000 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERMOutput
Output options mainly include the following:
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
an empty "-I" option will list the merge modes.
The default merging method is based on the timestamp of the data frame. After merging test01 and test02 in the example, it becomes the same as test.
λ mergecap -w merge.pcapng test01.pcapng test02.pcapng
λ tshark -r merge.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
3 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
-a 选项,连接而不是合并文件。
λ mergecap -a -w merge.pcapng test01.pcapng test02.pcapng
λ tshark -r merge.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
3 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
-s Option to truncate packet data length.
λ mergecap -s 40 -w merge.pcapng test01.pcapng test02.pcapng
λ capinfos -l merge.pcapng
File name: merge.pcapng
Packet size limit: file hdr: (not set)
Packet size limit: inferred: 40 bytes
-w Option, set the output file name.
λ mergecap -w merge.pcapng test01.pcapng test02.pcapng
-F Option, set the output file type, default is pcapng.
λ mergecap -F
mergecap: option requires an argument: F
mergecap: The available capture file types for the "-F" flag are:
pcap - Wireshark/tcpdump/... - pcap
pcapng - Wireshark/... - pcapng
5views - InfoVista 5View capture
btsnoop - Symbian OS btsnoop
commview-ncf - TamoSoft CommView NCF
commview-ncfx - TamoSoft CommView NCFX
dct2000 - Catapult DCT2000 trace (.out format)
erf - Endace ERF capture
eyesdn - EyeSDN USB S0/E1 ISDN trace format
k12text - K12 text file
lanalyzer - Novell LANalyzer
logcat - Android Logcat Binary format
logcat-brief - Android Logcat Brief text format
logcat-long - Android Logcat Long text format
logcat-process - Android Logcat Process text format
logcat-tag - Android Logcat Tag text format
logcat-thread - Android Logcat Thread text format
logcat-threadtime - Android Logcat Threadtime text format
logcat-time - Android Logcat Time text format
modpcap - Modified tcpdump - pcap
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
ngsniffer - Sniffer (DOS)
ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1
ngwsniffer_2_0 - Sniffer (Windows) 2.00x
nokiapcap - Nokia tcpdump - pcap
nsecpcap - Wireshark/tcpdump/... - nanosecond pcap
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
nstrace30 - NetScaler Trace (Version 3.0)
nstrace35 - NetScaler Trace (Version 3.5)
observer - Viavi Observer
rf5 - Tektronix K12xx 32-bit .rf5 format
rh6_1pcap - RedHat 6.1 tcpdump - pcap
snoop - Sun snoop
suse6_3pcap - SuSE 6.3 tcpdump - pcap
visual - Visual Networks traffic capture
λ
λ mergecap -F pcap -w merge.pcap test01.pcapng test02.pcapng
λ capinfos -t merge.pcap
File name: merge.pcap
File type: Wireshark/tcpdump/... - pcap
-Option I: Set the merge mode for the Interface Description Block (IDB). Each input file has one or more IDBs that describe the interface initially captured, including encapsulation type, interface name, and so on. When merging multiple input files into a new merged output file, it must merge these IDBs in some way.
The currently available modes are: none (do not merge, only copy all IDBs to the output file), all (merge only when all input files have the same IDBs, otherwise they are the same as none), and any (merge the same IDBs and then copy them together with different IDBs to the output file), with the default being all.
λ mergecap -I none -w merge.pcap test01.pcapng test02.pcapng
λ capinfos merge.pcapng
File name: merge.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 3
File size: 872 bytes
Data size: 186 bytes
Capture duration: 0.001654 seconds
First packet time: 2021-07-19 13:17:07.172339
Last packet time: 2021-07-19 13:17:07.173993
Data byte rate: 112 kBps
Data bit rate: 899 kbps
Average packet size: 62.00 bytes
Average packet rate: 1813 packets/s
SHA256: c9cb0b8614a1e759fada597e788d53593be59d643b013265bf063abc4a7e3a7a
RIPEMD160: 53c882cf632e2782e811d61a02dc0776fa148ae6
SHA1: 36faf965e1f9fd1ff21097c21fa5acd67d1b2de0
Strict time order: True
Capture oper-sys: 64-bit Windows 10 (1809), build 17763
Capture application: Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949 File created by merging: File1: test01.pcapng File2: test02.pcapng
Number of interfaces in file: 2
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 2
Interface #1 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 1Miscellaneous
Miscellaneous options, mainly including the following:
Miscellaneous:
-h, --help display this help and exit.
-V verbose output.
-v, --version print version information and exit.
λ mergecap -h
Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.
Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is pcapng.
an empty "-F" option will list the file types.
-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.
an empty "-I" option will list the merge modes.
Miscellaneous:
-h, --help display this help and exit.
-V verbose output.
-v, --version print version information and exit.
λ mergecap -V
mergecap: an output filename must be set with -w
run with -h for help
λ mergecap -V -w merge.pcapng test01.pcapng test02.pcapng
mergecap: test01.pcapng is type Wireshark/... - pcapng.
mergecap: test02.pcapng is type Wireshark/... - pcapng.
mergecap: selected frame_type Ethernet (ether)
mergecap: ready to merge records
Record: 1
Record: 2
Record: 3
mergecap: merging complete
λ mergecap -v
Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b).
Copyright 1998-2022 Gerald Combs <[email protected]> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.
Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib
2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported.Click to rate this post!
[Total: 0 Average: 0]