Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
MERGECAP(1)		The Wireshark Network Analyzer		   MERGECAP(1)

       mergecap	- Merges two or	more capture files into	one

       mergecap	[ -a ] [ -F <file format> ] [ -h ] [ -I	<IDB merge mode> ]
       [ -s <snaplen> ]	[ -v ] [ -V ] -w <outfile>|- <infile> [<infile>	...]

       Mergecap	is a program that combines multiple saved capture files	into a
       single output file specified by the -w argument.	 Mergecap knows	how to
       read pcap and pcapng capture files, including those of tcpdump,
       Wireshark and other tools that write captures in	those formats.

       By default, Mergecap writes the capture file in pcapng format, and
       writes all of the packets from the input	capture	files to the output

       Mergecap	is able	to detect, read	and write the same capture files that
       are supported by	Wireshark.  The	input files don't need a specific
       filename	extension; the file format and an optional gzip	compression
       will be automatically detected.	Near the beginning of the DESCRIPTION
       section of wireshark(1) or
       <> is a detailed
       description of the way Wireshark	handles	this, which is the same	way
       Mergecap	handles	this.

       Mergecap	can write the file in several output formats.  The -F flag can
       be used to specify the format in	which to write the capture file,
       mergecap	-F provides a list of the available output formats.

       Packets from the	input files are	merged in chronological	order based on
       each frame's timestamp, unless the -a flag is specified.	 Mergecap
       assumes that frames within a single capture file	are already stored in
       chronological order.  When the -a flag is specified, packets are	copied
       directly	from each input	file to	the output file, independent of	each
       frame's timestamp.

       The output file frame encapsulation type	is set to the type of the
       input files if all input	files have the same type.  If not all of the
       input files have	the same frame encapsulation type, the output file
       type is set to WTAP_ENCAP_PER_PACKET.  Note that	some capture file
       formats,	most notably pcap, do not currently support
       WTAP_ENCAP_PER_PACKET.  This combination	will cause the output file
       creation	to fail.

       -a  Causes the frame timestamps to be ignored, writing all packets from
	   the first input file	followed by all	packets	from the second	input
	   file.  By default, when -a is not specified,	the contents of	the
	   input files are merged in chronological order based on each frame's

	   Note: when merging, mergecap	assumes	that packets within a capture
	   file	are already in chronological order.

       -F  <file format>
	   Sets	the file format	of the output capture file. Mergecap can write
	   the file in several formats;	mergecap -F provides a list of the
	   available output formats.  By default this is the pcapng format.

       -h  Prints the version and options and exits.

       -I  <IDB	merge mode>
	   Sets	the Interface Description Block	(IDB) merge mode to use	during
	   merging.  mergecap -I provides a list of the	available IDB merge

	   Every input file has	one or more IDBs, which	describe the
	   interface(s)	the capture was	performed on originally. This includes
	   encapsulation type, interface name, etc. When mergecap merges
	   multiple input files, it has	to merge these IDBs somehow for	the
	   new merged output file. This	flag controls how that is
	   accomplished. The currently available modes are:

	       none: No	merging	of IDBs	is performed, and instead all IDBs are
	       copied to the merged output file.

	       all: IDBs are merged only if all	input files have the same
	       number of IDBs, and each	IDB matches their respective entry in
	       the other files.	This is	the default mode.

	       any: Any	and all	duplicate IDBs are merged into one IDB,
	       regardless of what file they are	in.

	   Note	that an	IDB is only considered a matching duplicate if it has
	   the same encapsulation type,	name, speed, time precision, comments,
	   description,	etc.

       -s  <snaplen>
	   Sets	the snapshot length to use when	writing	the data.  If the -s
	   flag	is used	to specify a snapshot length, frames in	the input file
	   with	more captured data than	the specified snapshot length will
	   have	only the amount	of data	specified by the snapshot length
	   written to the output file.	This may be useful if the program that
	   is to read the output file cannot handle packets larger than	a
	   certain size	(for example, the versions of snoop in Solaris 2.5.1
	   and Solaris 2.6 appear to reject Ethernet frames larger than	the
	   standard Ethernet MTU, making them incapable	of handling gigabit
	   Ethernet captures if	jumbo frames were used).

       -v  Causes mergecap to print a number of	messages while it's working.

       -V  Print the version and exit.

       -w  <outfile>|-
	   Sets	the output filename. If	the name is '-', stdout	will be	used.
	   This	setting	is mandatory.

       To merge	two capture files together into	a third	capture	file, in which
       the last	packet of one file arrives 100 seconds before the first	packet
       of another file,	use the	following sequence of commands.

       First, use:

	   capinfos -aeS a.pcap	b.pcap

       to determine the	start and end times of the two capture files, as
       seconds since January 1,	1970, 00:00:00 UTC.

       If a.pcap starts	at 1009932757 and b.pcap ends at 873660281, then the
       time adjustment to b.pcap that would make it end	100 seconds before
       a.pcap begins would be 1009932757 - 873660281 - 100 = 136272376

       Thus, the next step would be to use:

	   editcap -t 136272376	b.pcap b-shifted.pcap

       to generate a version of	b.pcap with its	time stamps shifted 136272376

       Then the	final step would be to use :

	   mergecap -w compare.pcap a.pcap b-shifted.pcap

       to merge	a.pcap and the shifted b.pcap into compare.pcap.

       pcap(3),	wireshark(1), tshark(1), dumpcap(1), editcap(1), text2pcap(1),
       pcap-filter(7) or tcpdump(8)

       Mergecap	is based heavily upon editcap by Richard Sharpe
       <sharpe[AT]> and Guy Harris <guy[AT]>.

       Mergecap	is part	of the Wireshark distribution.	The latest version of
       Wireshark can be	found at <>.

       HTML versions of	the Wireshark project man pages	are available at:

	 Original Author
	 -------- ------
	 Scott Renfro		  <scott[AT]>

	 Bill Guyton		  <guyton[AT]>

3.4.8				  2021-08-25			   MERGECAP(1)


Want to link to this manual page? Use this URL:

home | help