如何连接两个 tcpdump 文件(pcap 文件)
如何连接两个 tcpdump 文件,使一个流量依次出现在文件中? 具体来说,我想“乘以”一个 tcpdump 文件,以便所有会话将依次重复几次。
How to concatenate two tcpdump files, so that one traffic will appear after another in the file? To be concrete I want to "multiply" one tcpdump file, so that all the sessions will be repeated one after another sequentially few times.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
mergecap 可以解决您的问题,但您必须将其与“-a”选项一起使用,否则它会暂时对数据包重新排序。 然后:
mergecap -a file_1.pcap file_1.pcap file_1.cap -w output_file.pcap
mergecap can resolve your issue, but you must use it with '-a' option, otherwise it reorders packets temporally. Then:
mergecap -a file_1.pcap file_1.pcap file_1.cap -w output_file.pcap
正如其他答案所说,您可以在 Wireshark、tcpslice 或 mergecap 中使用“文件”->“合并”。 您还可以将文件拖到 Wireshark 的主窗口中。 如果 Wireshark/tcpdump/snort/Ntop/etc 支持 pcap-ng,您就可以简单地连接捕获文件。
As the other answers say, you can use File->Merge in Wireshark, tcpslice, or mergecap. You can also drag a file into Wireshark's main window. If Wireshark/tcpdump/snort/Ntop/etc supported pcap-ng, you'd be able to simply concatenate your capture files.
Wireshark 有文件 -> 应该执行此操作的合并命令。
我还记得 mergecap 是一个这样做的工具,但我有一段时间没有使用它了。
Wireshark has the File -> Merge command which should do this.
I also remember mergecap being a tool to do so, but I haven't used it in a while.
使用 Wireshark 中的 mergecap:
mergecap ... -w output.cap
Use mergecap from Wireshark:
mergecap ... -w output.cap
要加入多个 pcap,请使用此批处理脚本,
所有 pcap 文件必须位于批处理脚本所在的同一文件夹中,并且当您 dir 目录时,第一个 pcap 文件必须命名为 01.pcap,第二个必须命名为 02.pcap,没有其他局限性。
to join multiple pcap, use this batch script
all pcap files must be in the same folder that batch script located and also first pcap file must be named 01.pcap and second must be 02.pcap when you dir the directory, there is no other limitation.
尝试 pcapjoiner(商业版,演示版仅限 1000 个数据包)。
Try pcapjoiner (commercial, with demo limited to 1000 packets).