seguridad/2.- Ejercicios/reto_seguridad/capturas/WiresharkPortable64/App/Wireshark/mergecap.html

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.17">
<title>mergecap(1)</title>
<link rel="stylesheet" href="./ws.css">
</head>
<body class="manpage">
<div id="header">
<h1>mergecap(1) Manual Page</h1>
<h2 id="_name">NAME</h2>
<div class="sectionbody">
<p>mergecap - Merges two or more capture files into one</p>
</div>
</div>
<div id="content">
<div class="sect1">
<h2 id="_synopsis">SYNOPSIS</h2>
<div class="sectionbody">
<div class="paragraph">
<p><span class="nowrap"><strong>mergecap</strong></span>
<span class="nowrap">[ <strong>-a</strong> ]</span>
<span class="nowrap">[ <strong>-F</strong> &lt;<em>file format</em>&gt; ]</span>
<span class="nowrap">[ <strong>-I</strong> &lt;<em>IDB merge mode</em>&gt; ]</span>
<span class="nowrap">[ <strong>-s</strong> &lt;<em>snaplen</em>&gt; ]</span>
<span class="nowrap">[ <strong>-V</strong> ]</span>
<span class="nowrap"><strong>-w</strong> &lt;<em>outfile</em>&gt;|-</span>
<span class="nowrap">&lt;<em>infile</em>&gt; [&lt;<em>infile</em>&gt; <em>&#8230;&#8203;</em>]</span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>mergecap</strong></span>
<span class="nowrap"><strong>-h|--help</strong></span></p>
</div>
<div class="paragraph">
<p><span class="nowrap"><strong>mergecap</strong></span>
<span class="nowrap"><strong>-v|--version</strong></span></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_description">DESCRIPTION</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Mergecap</strong> is a program that combines multiple saved capture files into
a single output file specified by the <strong>-w</strong> argument.  <strong>Mergecap</strong> knows
how to read <strong>pcap</strong> and <strong>pcapng</strong> capture files, including those of
<strong>tcpdump</strong>, <strong>Wireshark</strong> and other tools that write captures in those
formats.</p>
</div>
<div class="paragraph">
<p>By default, <strong>Mergecap</strong> writes the capture file in <strong>pcapng</strong> format, and
writes all of the packets from the input capture files to the output file.</p>
</div>
<div class="paragraph">
<p><strong>Mergecap</strong> is able to detect, read and write the same capture files that
are supported by <strong>Wireshark</strong>.
The input files don&#8217;t need a specific filename extension; the file
format and an optional gzip, zstd or lz4 compression will be automatically detected.
Near the beginning of the DESCRIPTION section of <a href="wireshark.html">wireshark</a>(1) or
<a href="https://www.wireshark.org/docs/man-pages/wireshark.html" class="bare">https://www.wireshark.org/docs/man-pages/wireshark.html</a>
is a detailed description of the way <strong>Wireshark</strong> handles this, which is
the same way <strong>Mergecap</strong> handles this.</p>
</div>
<div class="paragraph">
<p><strong>Mergecap</strong> can write the file in several output formats.
The <strong>-F</strong> flag can be used to specify the format in which to write the
capture file, <strong>mergecap -F</strong> provides a list of the available output
formats.</p>
</div>
<div class="paragraph">
<p>Packets from the input files are merged in chronological order based on
each frame&#8217;s timestamp, unless the <strong>-a</strong> flag is specified.  <strong>Mergecap</strong>
assumes that frames within a single capture file are already stored in
chronological order.  When the <strong>-a</strong> flag is specified, packets are
copied directly from each input file to the output file, independent of
each frame&#8217;s timestamp.</p>
</div>
<div class="paragraph">
<p>The output file frame encapsulation type is set to the type of the input
files if all input files have the same type.  If not all of the input
files have the same frame encapsulation type, the output file type is
set to WTAP_ENCAP_PER_PACKET.  Note that some capture file formats, most
notably <strong>pcap</strong>, do not currently support WTAP_ENCAP_PER_PACKET.
This combination will cause the output file creation to fail.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_options">OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">-a</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Causes the frame timestamps to be ignored, writing all packets from the
first input file followed by all packets from the second input file.  By
default, when <strong>-a</strong> is not specified, the contents of the input files
are merged in chronological order based on each frame&#8217;s timestamp.</p>
</div>
<div class="paragraph">
<p>Note: when merging, <strong>mergecap</strong> assumes that packets within a capture
file are already in chronological order.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-F  &lt;file format&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the file format of the output capture file. <strong>Mergecap</strong> can write
the file in several formats; <strong>mergecap -F</strong> provides a list of the
available output formats.  By default this is the <strong>pcapng</strong> format.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-h|--help</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Prints the version and options and exits.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-I  &lt;IDB merge mode&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the Interface Description Block (IDB) merge mode to use during merging.
<strong>mergecap -I</strong> provides a list of the available IDB merge modes.</p>
</div>
<div class="paragraph">
<p>Every input file has one or more IDBs, which describe the interface(s) the
capture was performed on originally. This includes encapsulation type,
interface name, etc. When mergecap merges multiple input files, it has to
merge these IDBs somehow for the new merged output file. This flag controls
how that is accomplished. The currently available modes are:</p>
</div>
<div class="paragraph">
<p><strong>none</strong>: No merging of IDBs is performed, and instead all IDBs are
copied to the merged output file.</p>
</div>
<div class="paragraph">
<p><strong>all</strong>: IDBs are merged only if all input files have the same number
of IDBs, and each IDB matches their respective entry in the
other files. (Only the IDBs that occur at the beginning of the files,
before any packet blocks, are compared. IDBs that occur later in the
files are merged with duplicates iff the initial IDBs were merged.)
This is the default mode.</p>
</div>
<div class="paragraph">
<p><strong>any</strong>: Any and all duplicate IDBs are merged into one IDB, regardless
of what file they are in.</p>
</div>
<div class="paragraph">
<p>Note that an IDB is only considered a matching duplicate if it has the same
encapsulation type, name, speed, time precision, comments, description, etc.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-s  &lt;snaplen&gt;</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the snapshot length to use when writing the data.
If the <strong>-s</strong> flag is used to specify a snapshot length, frames in the
input file with more captured data than the specified snapshot length
will have only the amount of data specified by the snapshot length
written to the output file.  This may be useful if the program that is
to read the output file cannot handle packets larger than a certain size
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
appear to reject Ethernet frames larger than the standard Ethernet MTU,
making them incapable of handling gigabit Ethernet captures if jumbo
frames were used).</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-v|--version</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Print the version and exit.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-V</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Causes <strong>mergecap</strong> to print a number of messages while it&#8217;s working.</p>
</div>
</div>
</div>
</dd>
<dt class="hdlist1">-w  &lt;outfile&gt;|-</dt>
<dd>
<div class="openblock">
<div class="content">
<div class="paragraph">
<p>Sets the output filename. If the name is '<strong>-</strong>', stdout will be used.
This setting is mandatory.</p>
</div>
</div>
</div>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_diagnostic_options">DIAGNOSTIC OPTIONS</h2>
<div class="sectionbody">
<div class="dlist">
<dl>
<dt class="hdlist1">--log-level &lt;level&gt;</dt>
<dd>
<p>Set the active log level.
Supported levels in lowest to highest order are "noisy", "debug", "info", "message", "warning", "critical", and "error".
Messages at each level and higher will be printed, for example "warning" prints "warning", "critical", and "error" messages and "noisy" prints all messages.
Levels are case insensitive.</p>
</dd>
<dt class="hdlist1">--log-fatal &lt;level&gt;</dt>
<dd>
<p>Abort the program if any messages are logged at the specified level or higher.
For example, "warning" aborts on any "warning", "critical", or "error" messages.</p>
</dd>
</dl>
</div>
<div class="dlist">
<dl>
<dt class="hdlist1">--log-domains &lt;list&gt;</dt>
<dd>
<p>Only print messages for the specified log domains, e.g. "GUI,Epan,sshdump".
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-debug &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "debug" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-noisy &lt;list&gt;</dt>
<dd>
<p>Force the specified domains to log at the "noisy" level.
List of domains must be comma-separated.</p>
</dd>
<dt class="hdlist1">--log-file &lt;path&gt;</dt>
<dd>
<p>Write log messages and stderr output to the specified file.</p>
</dd>
</dl>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_examples">EXAMPLES</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To merge two capture files together into a third capture file, in which
the last packet of one file arrives 100 seconds before the first packet
of another file, use the following sequence of commands.</p>
</div>
<div class="paragraph">
<p>First, use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>capinfos -aeS a.pcap b.pcap</pre>
</div>
</div>
<div class="paragraph">
<p>to determine the start and end times of the two capture files, as
seconds since January 1, 1970, 00:00:00 UTC.</p>
</div>
<div class="paragraph">
<p>If a.pcap starts at 1009932757 and b.pcap ends at 873660281, then the
time adjustment to b.pcap that would make it end 100 seconds before
a.pcap begins would be 1009932757 - 873660281 - 100 = 136272376 seconds.</p>
</div>
<div class="paragraph">
<p>Thus, the next step would be to use:</p>
</div>
<div class="literalblock">
<div class="content">
<pre>editcap -t 136272376 b.pcap b-shifted.pcap</pre>
</div>
</div>
<div class="paragraph">
<p>to generate a version of b.pcap with its time stamps shifted 136272376
ahead.</p>
</div>
<div class="paragraph">
<p>Then the final step would be to use :</p>
</div>
<div class="literalblock">
<div class="content">
<pre>mergecap -w compare.pcap a.pcap b-shifted.pcap</pre>
</div>
</div>
<div class="paragraph">
<p>to merge a.pcap and the shifted b.pcap into compare.pcap.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_see_also">SEE ALSO</h2>
<div class="sectionbody">
<div class="paragraph">
<p><a href="https://www.tcpdump.org/manpages/pcap.3pcap.html">pcap</a>(3), <a href="wireshark.html">wireshark</a>(1), <a href="tshark.html">tshark</a>(1), <a href="dumpcap.html">dumpcap</a>(1), <a href="editcap.html">editcap</a>(1), <a href="text2pcap.html">text2pcap</a>(1),
<a href="https://www.tcpdump.org/manpages/pcap-filter.7.html">pcap-filter</a>(7) or <a href="https://www.tcpdump.org/manpages/tcpdump.1.html">tcpdump</a>(8)</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_notes">NOTES</h2>
<div class="sectionbody">
<div class="paragraph">
<p><strong>Mergecap</strong> is based heavily upon <strong>editcap</strong> by Richard Sharpe
&lt;sharpe[AT]ns.aus.com&gt; and Guy Harris &lt;guy[AT]alum.mit.edu&gt;.</p>
</div>
<div class="paragraph">
<p>This is the manual page for <strong>Mergecap</strong> 4.0.5.
<strong>Mergecap</strong> is part of the <strong>Wireshark</strong> distribution.
The latest version of <strong>Wireshark</strong> can be found at <a href="https://www.wireshark.org" class="bare">https://www.wireshark.org</a>.</p>
</div>
<div class="paragraph">
<p>HTML versions of the Wireshark project man pages are available at
<a href="https://www.wireshark.org/docs/man-pages" class="bare">https://www.wireshark.org/docs/man-pages</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_authors">AUTHORS</h2>
<div class="sectionbody">
<div class="paragraph">
<div class="title">Original Author</div>
<p>Scott Renfro &lt;scott[AT]renfro.org&gt;</p>
</div>
<div class="paragraph">
<div class="title">Contributors</div>
<p>Bill Guyton &lt;guyton[AT]bguyton.com&gt;</p>
</div>
</div>
</div>
</div>
</body>
</html>