On Fri, May 17, 2002 at 03:12:24PM +0530, Narayan Sharma wrote:
> Does anybody know, is it possible to concatenate
> two seperate ethereal capture files into one.
It's possible to *combine* two separate capture files, if they were
captured on the same type of network device, so that you have a "merged"
capture file, with packets from both capture files, sorted in order by
the packet arrival time.
That's not necessarily "concatenation"; however, I suspect it's what you
*really* want.
However:
> On my part, I tried this one,
> Say I want to join files A and B
> #touch C
> #cat A > C
> #cat B >> C
...that's *not* the way to do it. libpcap-format files, as used by
tcpdump and Ethereal and many other programs, start with a file header,
followed by a bunch of packets; concatenating the files like that
(which, BTW, could more easily have been done with
cat A B >C
as the name "cat" comes, after all, from "conCATenation") means you have
a file header, a bunch of packets, *another* file header, and more
packets, which is *not* a valid capture file...
> But this is giving the error- Ethereal file seems to be corrupted,
> while opening the file C.
...as Ethereal informed you.
> Any other way to do it?
There are ways of combining capture files in the fashion I described
earlier (merging, which isn't necessarily concatenation).
For example, you can use the "mergecap" utility that comes with
Ethereal. There are other utilities that can combine libpcap capture
files - it looks as if pcapmerge:
http://indev.insu.com/Fwctl/pcapmerge.html
and pcat:
http://www.infosecalliance.com/products/pcaputils.htm
can do it. (They may speak of "tcpdump" capture files, but Ethereal
uses the same format as tcpdump.)
