Wireshark · Wireshark-users: Re: [Wireshark-users] Capturing and merging files from different machines

[Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>]

Chris Swinney wrote:
> Hi,
>
> I have taken a capture on two different machines from an in-line network 
> tap (one to capture upstream, one to capture downstream data). I now 
> need to merge these file, but when I ask Wireshark to merge them 
> chronologically, it seems to merge them based on the initial time taken 
> into the capture, not the actual capture time.
>
> I have tried to mitigate time differences by synching both machines to 
> an NTP server, but of course both captures are themselves started a 
> different times. How can I best accomplish what I want? I’ve had a look 
> at mergecap (as well as the inbuilt merge facility as shown above), but 
> am not sure if this will still do what I’m after.

Maybe I'm being naive here but I would expect a "chronological merge" to 
merge the packets based on their (absolute) timestamps (that is, based 
on the time stamp of each packet--which is in secs+usecs since the 
epoch), not based on seconds since the beginning of the capture file.

(In fact I merge capture files quite frequently so I somewhat depend on 
this functionality.)

Questions:

- what version of Wireshark are you using?
- what is your time display format (time of day, seconds since beginning 
of capture, etc.)?  Not that it should matter, but...