User Guide
Related command line tools
234
uncompressed Sniffer format, Microsoft Network Monitor 1.x format, and the format used by Windows-
based versions of the Sniffer software.
Packets from the input files are merged in chronological order based on each frame's timestamp, unless
the -a flag is specified. Mergecap assumes that frames within a single capture file are already stored in
chronological order. When the -a flag is specified, packets are copied directly from each input file to the
output file, independent of each frame's timestamp.
If the -s flag is used to specify a snapshot length, frames in the input file with more captured data than
the specified snapshot length will have only the amount of data specified by the snapshot length written
to the output file. This may be useful if the program that is to read the output file cannot handle packets
larger than a certain size (for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6 appear to
reject Ethernet frames larger than the standard Ethernet MTU, making them incapable of handling gigabit
Ethernet captures if jumbo frames were used).
If the -T flag is used to specify an encapsulation type, the encapsulation type of the output capture file will
be forced to the specified type, rather than being the type appropriate to the encapsulation type of the input
capture file. Note that this merely forces the encapsulation type of the output file to be the specified type;
the packet headers of the packets will not be translated from the encapsulation type of the input capture
file to the specified encapsulation type (for example, it will not translate an Ethernet capture to an FDDI
capture if an Ethernet capture is read and '-T fddi' is specified).
Example D.8. Help information available from mergecap
Mergecap 1.7.0 (SVN Rev 39165 from /trunk)
Merge two or more capture files into one.
See http://www.wireshark.org for more information.
Usage: mergecap [options] -w <outfile>|- <infile> ...
Output:
-a concatenate rather than merge files.
default is to merge based on frame timestamps.
-s <snaplen> truncate packets to <snaplen> bytes of data.
-w <outfile>|- set the output filename to <outfile> or '-' for stdout.
-F <capture type> set the output file type; default is libpcap.
an empty "-F" option will list the file types.
-T <encap type> set the output file encapsulation type;
default is the same as the first input file.
an empty "-T" option will list the encapsulation types.
Miscellaneous:
-h display this help and exit.
-v verbose output.
A simple example merging dhcp-capture.libpcap and imap-1.libpcap into
outfile.libpcap is shown below.
Example D.9. Simple example of using mergecap
$ mergecap -w outfile.libpcap dhcp-capture.libpcap imap-1.libpcap