Just a real quick tip today, while I get back into the swing of things, post-moving.

A friend of mine showed me a very useful utility called mergecap, which is included with the wireshark package (formally known as Ethereal). This is one of those “so simple it hurts” tools, that I wish I had known about years ago. So what is so special about mergecap? Well if you’ve ever had to deal with multiple capture files, you know what a pain it can be to search through them all. This is where mergecap comes in handy.

There are a few options discussed in the man page, but in it’s simplest form, from the command line:

mergecap *.pcap -w /path/to/output/dir/name.pcap

Now, you simply wait a few seconds and you will have a properly merged pcap file. I tested this method on a few pcap files gigabytes in size and mergecap only took about 10 seconds to do its job.

If you are like me, and do not have X or a monitor installed on your sniffing box, I suggest installing tethereal, which is the command line only version of the wireshark package. Mergecap is included in the wireshark-common portion of the required packages.

Enjoy this short little tip and as always have fun nerding it up.

This entry was posted on Saturday, February 9th, 2008 at 11:10 am and is filed under ethereal, geek stuff, tcpdump. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.