I have two pcapng files. Each one is a traffic capture that occurred at the same router but on different interfaces.
Since I want to study the behavior of the router's protocols globally I thought on merging these two files into one, so it would be easier to study the different protocols.
I've used the tool mergcap, such as this:
mergecap -w new_file.pcapng file1.pcapng file2.pcapng
According to the manual of mergecap, the files will be merged chronologically, based on the timestamp of each packet within each file1.pcapng and file2.pcapng.
The problem I'm facing now is that after the merge has taken place, packets that I had in file1.pcapng are not found with the same timestamp on new_file.pcapng.
Has anyone done something like this before? I'm using mergecap 2.0.2.
Thanks!
Lucas
By default
wiresharkorders the packets chronologically starting from the first captured packet. Since you merged two capture files you have two packets that were the start of the capture but only one of them is the first packet in the file. Aligning packets by time based on the first captured packet does not make sense in case of a merged capture.To be fair, it could make sense if
wiresharkordered all packets in chronological order before picking which packet was captured first. Currently, the first packet in the file is the time reference (see time references) by default.Thankfully
wiresharkstores the packet time as a timestamp since EPOCH. This allows to align the packets in a merged file chronologically using the several options inView > Time Display Format.Captures from different machines
The above has one limitation: Since the timestamps are based on EPOCH, if you capture packets from different machines you need to make sure that the clocks of these machines are aligned.
In the case that your capture files originate from different machines and the clocks on these machines are not aligned, you need to shift the timestamps on one of the captures before merging. That, in turn, can be accomplished with
wiresharksEdit > Time Shift.