SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from RedHat 7.X ethereal-0.9.2-1.i386.rpm

MERGECAP

Section: The Ethereal Network Analyzer (1)
Updated: 0.9.2
Index 

NAME

mergecap - Merges two capture files into one 

SYNOPSYS

mergecap-hva ][ -s snaplen ][ -F file format ][ -T encapsulation type ]-w outfileinfile... 

DESCRIPTION

Mergecap is a program that combines multiple saved capture files intoa single output file specified by the -w argument. Mergecap knowshow to read libpcap capture files, including those of tcpdump,Ethereal, and other tools that write captures in that format. Inaddition, Mergecap can read capture files from snoop andatmsnoop, Shomiti/Finisar Surveyor, Novell LANalyzer, NetworkGeneral/Network Associates DOS-based Sniffer (compressed oruncompressed), Microsoft Network Monitor, AIX's iptrace, CincoNetworks NetXRay, Network Associates Windows-based Sniffer, AGGroup/WildPackets EtherPeek/TokenPeek/AiroPeek, RADCOM'sWAN/LAN analyzer, Lucent/Ascend router debug output, HP-UX'snettl, the dump output from Toshiba's ISDN routers, the outputfrom i4btrace from the ISDN4BSD project, the output in IPLogformat from the Cisco Secure Intrusion Detection System, pppd logs(pppdump format), the output from VMS's TCPIPtrace utility, the textoutput from the DBS Etherwatch VMS utility, and traffic capture filesfrom Visual Networks' Visual UpTime. There is no need to tellMergecap what type of file you are reading; it will determine thefile type by itself. Mergecap is also capable of reading any ofthese file formats if they are compressed using gzip. Mergecaprecognizes this directly from the file; the '.gz' extension is notrequired for this purpose.

By default, it writes the capture file in libpcap format, and writesall of the packets in both input capture files to the output file. The-F flag can be used to specify the format in which to write thecapture file; it can write the file in libpcap format (standardlibpcap format, a modified format used by some patched versions oflibpcap, the format used by Red Hat Linux 6.1, or the format used bySuSE Linux 6.3), snoop format, uncompressed Sniffer format,Microsoft Network Monitor 1.x format, the format used byWindows-based versions of the Sniffer software, and the format usedby Visual Networks' software.

Packets from the input files are merged in chronological order based oneach frame's timestamp, unless the -a flag is specified. Mergecapassumes that frames within a single capture file are already stored inchronological order. When the -a flag is specified, packets arecopied directly from each input file to the output file, independent ofeach frame's timestamp.

If the -s flag is used to specify a snapshot length, frames in theinput file with more captured data than the specified snapshot lengthwill have only the amount of data specified by the snapshot lengthwritten to the output file. This may be useful if the program that isto read the output file cannot handle packets larger than a certain size(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6appear to reject Ethernet frames larger than the standard Ethernet MTU,making them incapable of handling gigabit Ethernet captures if jumboframes were used).

The output file frame encapsulation type is set to the type of the inputfiles, if all input files have the same type. If not all of the inputfiles have the same frame encapsulation type, the output file type isset to WTAP_ENCAP_PER_PACKET. Note that some capture file formats, mostnotably libpcap, do not currently support WTAP_ENCAP_PER_PACKET.This combination will cause the output file creation to fail.

If the -T flag is used to specify a frame encapsulation type, theencapsulation type of the output capture file will be forced to thespecified type, rather than being the type appropriate to theencapsulation type of the input capture files. Note that this merelyforces the encapsulation type of the output file to be the specifiedtype; the packet headers of the packets will not be translated from theencapsulation type of the input capture file to the specifiedencapsulation type (for example, it will not translate an Ethernetcapture to an FDDI capture if an Ethernet capture is read and '-Tfddi' is specified). 

OPTIONS


-w
Sets the output filename.
-F
Sets the file format of the output capture file.
-T
Sets the packet encapsulation type of the output capture file.
-a
Causes the frame timestamps to be ignored, writing all packets from thefirst input file followed by all packets from the second input file. Bydefault, when -a is not specified, the contents of the input filesare merged in chronological order based on each frame's timestamp.Note: when merging, mergecap assumes that packets within a capturefile are already in chronological order.
-v
Causes mergecap to print a number of messages while it's working.
-s
Sets the snapshot length to use when writing the data.
-h
Prints the version and options and exits.
 

SEE ALSO

tcpdump(8), pcap(3), ethereal(1), editcap(1) 

NOTES

Mergecap is based heavily upon editcap by Richard Sharpe<sharpe@ns.aus.com> and Guy Harris <guyAATTalum.mit.edu>.

Mergecap is part of the Ethereal distribution. The latest versionof Ethereal can be found at http://www.ethereal.com. 

AUTHORS

  Original Author  -------- ------  Scott Renfro             <scottAATTrenfro.org>
  Contributors  ------------


 

Index

NAME
SYNOPSYS
DESCRIPTION
OPTIONS
SEE ALSO
NOTES
AUTHORS

This document was created byman2html,using the manual pages.