Ethereal-dev: Re: [Ethereal-dev] mergecap: How to merge Ethernet & Linux cooked capture files?
Maynard, Chris wrote:
I have 2 capture files that I would like to merge. One file has IEEE
802.3 Ethernet encapsulation and the other has Linux cooked capture
encapsulation.
I have been unsuccessful at merging them, trying things like,
"mergecap -T ether -w merge.cap eth.cap cooked.cap"
"mergecap -T linux-ssl merge.cap eth.cap cooked.cap"
.... but in the first case, only the eth.cap packets are correctly
dissected, and in the second case, only the cooked.cap packets are
correctly dissected.
"-T" doesn't mean "reformat the content of the packets to actually have
a link-layer header of that type", it means "assume the packets already
have a link-layer header of that type, but the file has the wrong
link-layer type, and write out the packets in the new link-layer type".
Is it possible to merge these two files?
No. Libpcap format only supports one link-layer type in a capture file,
and no other capture file format supported by Ethereal's Wiretap
capture-file-reading library supports the Linux cooked capture
encapsulation.
If not, then what
would it take to be able to support this type of merge?
Add support for pcap-NG format:
http://www.winpcap.org/ntar/draft/PCAP-DumpFileFormat.html
to the Wiretap library and to Ethereal, Tethereal, and mergecap; that
format supports multiple link-layer types in a file. The resulting
files will, of course, only be readable by programs that support pcap-NG.
I'd suggest joining the ntar-workers@xxxxxxxxxxx list if you're going to
work on that.
