Merge multiple pcap files together, gracefully.
Merge multiple pcap files together, gracefully.
Download a precompiled binary from https://github.com/assafmo/joincap/releases
Or... Use go get
:
go get -u github.com/assafmo/joincap
Or use Ubuntu PPA:
curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg | sudo apt-key add -
sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.list
sudo apt update
sudo apt install joincap
Usage:
joincap [OPTIONS] InFiles...
Application Options:
-v, --verbose Explain when skipping packets or entire input files
-V, --version Print the version and exit
-w= Sets the output filename. If the name is '-', stdout will be used (default: -)
Help Options:
-h, --help Show this help message
I believe skipping corrupt packets is better than failing the entire merge job.
When using tcpslice
or mergecap
sometimes pcapfix
is needed to fix bad input pcap files.
mergecap
/tcpslice
), if we get errors then run pcapfix
on the bad pcaps and then run merge again.
pcapfix
processes)pcapfix
on the input pcap files and then merge.
pcapfix
processes)pcapfix
"in memory" with process substitution: mergecap -w out.pcap <(pcapfix -o /dev/stdout 1.pcap) <(pcapfix -o /dev/stdout 2.pcap)
.
pcapfix
processes)tcpslice -w out.pcap *.pcap
)tcpslice
(seeks the last packets to calculate time ranges - cannot do this with pipes)joincap
vs mergecap
vs tcpslice
Use case | joincap | mergecap v2.4.5 | tcpslice v1.2a3 |
---|---|---|---|
Corrupt input global header | :heavy_check_mark: | :x: | :x: |
Corrupt input packet header | :heavy_check_mark: | :x: | :x: |
Unexpectd EOF (last packet data is truncated) |
:heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
Input pcap has no packets (global header is ok, no first packet header) |
:heavy_check_mark: | :heavy_check_mark: | :x: |
Input file size is smaller than 24 bytes (global header is truncated) |
:heavy_check_mark: | :heavy_check_mark: | :x: |
Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated) |
:heavy_check_mark: | :x: | :x: |
Input file doesn't exists | :heavy_check_mark: | :x: | :x: |
Input file is a directory | :heavy_check_mark: | :x: | :x: |
Input file end is garbage | :heavy_check_mark: | :heavy_check_mark: | :x: |
Input file is gzipped (.pcap.gz) | :heavy_check_mark: | :heavy_check_mark: | :x: |
Use case | Error outputs |
---|---|
Corrupt input global header |
|
Corrupt input packet header |
|
Unexpectd EOF (last packet data is truncated) |
|
Input pcap has no packets (global header is ok, no first packet header) |
|
Input file size is smaller than 24 bytes (global header is truncated) |
|
Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated) |
|
Input file doesn't exists |
|
Input file is a directory |
|
Input file end is garbage |
|
Input file is gzipped (.pcap.gz) |
|
Use case | How to reproduce |
---|---|
Corrupt input global header |
|
Corrupt input packet header |
|
Unexpectd EOF (last packet data is truncated) |
|
Input pcap has no packets (global header is ok, no first packet header) |
|
Input file size is smaller than 24 bytes (global header is truncated) |
|
Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated) |
|
Input file doesn't exists |
|
Input file is a directory |
|
Input file end is garbage |
|
Input file is gzipped (.pcap.gz) |
|
Version | Speed | Time | |
---|---|---|---|
mergecap | 3.2.2 | 590MiB/s | 0m5.632s |
tcpslice | 1.2a3 | 838MiB/s | 0m3.666s |
joincap | 0.10.2 | 562MiB/s | 0m5.462s |