Wireshark CLI | Mergecap 篇

简介

Mergecap 是 Wireshark 程序安装时附带的可选工具之一，用于合并数据包文件的命令行工具。

mergecap [ -a ] [ -F <file format> ] [ -I <IDB merge mode> ] [ -s <snaplen> ] [ -V ] -w <outfile>|- <infile> [<infile> …]mergecap -h|--helpmergecap -v|--version

描述

Mergecap 是一个可以将多个保存的捕获文件合并到一个由 -w 参数指定的输出文件的程序。Mergecap 知道如何读取 pcap 和 pcapng 捕获文件，包括 tcpdump、wireshark 和其他以这些格式写入捕获的工具。

默认情况下，Mergecap 以 pcapng 格式写入捕获文件，并将输入捕获文件中的所有数据包写入输出文件。

Mergecap 能够检测、读写 Wireshark 支持的相同捕获文件。输入文件不需要特定的文件名扩展名；文件格式和可选的 gzip, zstd 或 lz4 压缩将被自动检测。

Mergecap 可以用几种输出格式写入文件。-F 标志可用于指定写入捕获文件的格式，mergecap -F 提供可用输出格式的列表。

选项

λ mergecap -h
Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]Output:-a                concatenate rather than merge files.default is to merge based on frame timestamps.-s <snaplen>      truncate packets to <snaplen> bytes of data.-w <outfile>|-    set the output filename to <outfile> or '-' for stdout.-F <capture type> set the output file type; default is pcapng.an empty "-F" option will list the file types.-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.an empty "-I" option will list the merge modes.Miscellaneous:-h, --help        display this help and exit.-V                verbose output.-v, --version     print version information and exit.

实例

以下以实例讲解各选项的作用，测试跟踪文件主要信息如下，其中 test.pcapng 文件数据包数量 3 个，为 TCP 三次握手数据包，分拆成两个数据包文件，No.1 SYN 和 No.3 ACK 为 test01.pcpang，No.2 SYN/ACK 为 test02.pcapng。

λ capinfos test.pcapng
File name:           test.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   3
File size:           600 bytes
Data size:           186 bytes
Capture duration:    0.001654 seconds
First packet time:   2021-07-19 13:17:07.172339
Last packet time:    2021-07-19 13:17:07.173993
Data byte rate:      112 kBps
Data bit rate:       899 kbps
Average packet size: 62.00 bytes
Average packet rate: 1813 packets/s
SHA256:              5f618074fa1fbc83fbb113b42ae6fa3e0b7fdb86441b930d0d71842e96b4b521
RIPEMD160:           922b130ccc3bda159bfa399b494da089ef2e50fe
SHA1:                c0d507e9ff122135a3e20e3920649bce636c8726
Strict time order:   True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment:     Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}Description = Ethernet0Encapsulation = Ethernet (1 - ether)Capture length = 262144Time precision = microseconds (6)Time ticks per second = 1000000Time resolution = 0x06Operating system = 64-bit Windows 10 (1809), build 17763Number of stat entries = 0Number of packets = 3λ capinfos test0*.pcapng
File name:           test01.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   2
File size:           488 bytes
Data size:           120 bytes
Capture duration:    0.001654 seconds
First packet time:   2021-07-19 13:17:07.172339
Last packet time:    2021-07-19 13:17:07.173993
Data byte rate:      72 kBps
Data bit rate:       580 kbps
Average packet size: 60.00 bytes
Average packet rate: 1209 packets/s
SHA256:              7f73fa4cee113507fb13bfea6c3d588d16ce62455dba84967b6c7e9ff5f119f9
RIPEMD160:           99c63e7b258156ca52332607170060514a05374c
SHA1:                0e73dc6d560a1ed7a94ba3639d04e268ed58e8a9
Strict time order:   True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment:     Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}Description = Ethernet0Encapsulation = Ethernet (1 - ether)Capture length = 262144Time precision = microseconds (6)Time ticks per second = 1000000Time resolution = 0x06Operating system = 64-bit Windows 10 (1809), build 17763Number of stat entries = 0Number of packets = 2File name:           test02.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   1
File size:           388 bytes
Data size:           66 bytes
Capture duration:    0.000000 seconds
First packet time:   2021-07-19 13:17:07.173872
Last packet time:    2021-07-19 13:17:07.173872
Data byte rate:      0 bytes/s
Data bit rate:       0 bits/s
Average packet size: 66.00 bytes
Average packet rate: 0 packets/s
SHA256:              6c52de6c914bfcefab0f06773fffa2e3a6d6e29be580cf857a7af03cfac12a64
RIPEMD160:           0d1daa946a757cd6f57a3a97c87753f93a88bbf3
SHA1:                623955ea30d52e85dce3e92b963c1440a11b7ed6
Strict time order:   True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment:     Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}Description = Ethernet0Encapsulation = Ethernet (1 - ether)Capture length = 262144Time precision = microseconds (6)Time ticks per second = 1000000Time resolution = 0x06Operating system = 64-bit Windows 10 (1809), build 17763Number of stat entries = 0Number of packets = 1λ tshark -r test.pcapng1   0.000000  192.168.0.1 → 10.10.10.1   TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM2   0.001533   10.10.10.1 → 192.168.0.1  TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM3   0.001654  192.168.0.1 → 10.10.10.1   TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0λ tshark -r test01.pcapng1   0.000000  192.168.0.1 → 10.10.10.1   TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM2   0.001654  192.168.0.1 → 10.10.10.1   TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0λ tshark -r test02.pcapng1   0.000000   10.10.10.1 → 192.168.0.1  TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM

Output

输出选项，主要包括以下：

Output:-a                concatenate rather than merge files.default is to merge based on frame timestamps.-s <snaplen>      truncate packets to <snaplen> bytes of data.-w <outfile>|-    set the output filename to <outfile> or '-' for stdout.-F <capture type> set the output file type; default is pcapng.an empty "-F" option will list the file types.-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.an empty "-I" option will list the merge modes.默认合并方式是基于数据帧的时间戳。示例中合并 test01 和 test02 后即与 test 相同。
λ mergecap -w merge.pcapng test01.pcapng test02.pcapng
λ tshark -r merge.pcapng1   0.000000  192.168.0.1 → 10.10.10.1   TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM2   0.001533   10.10.10.1 → 192.168.0.1  TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM3   0.001654  192.168.0.1 → 10.10.10.1   TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0-a 选项，连接而不是合并文件。
λ mergecap -a -w merge.pcapng test01.pcapng test02.pcapng
λ tshark -r merge.pcapng1   0.000000  192.168.0.1 → 10.10.10.1   TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM2   0.001654  192.168.0.1 → 10.10.10.1   TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=03   0.001533   10.10.10.1 → 192.168.0.1  TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM-s 选项，截断数据包数据长度。
λ mergecap -s 40 -w merge.pcapng test01.pcapng test02.pcapng
λ capinfos -l merge.pcapng
File name:           merge.pcapng
Packet size limit:   file hdr: (not set)
Packet size limit:   inferred: 40 bytes-w 选项，设置输出文件名字。
λ mergecap -w merge.pcapng test01.pcapng test02.pcapng-F 选项，设置输出文件类型，默认是 pcapng。
λ mergecap -F
mergecap: option requires an argument: F
mergecap: The available capture file types for the "-F" flag are:pcap - Wireshark/tcpdump/... - pcappcapng - Wireshark/... - pcapng5views - InfoVista 5View capturebtsnoop - Symbian OS btsnoopcommview-ncf - TamoSoft CommView NCFcommview-ncfx - TamoSoft CommView NCFXdct2000 - Catapult DCT2000 trace (.out format)erf - Endace ERF captureeyesdn - EyeSDN USB S0/E1 ISDN trace formatk12text - K12 text filelanalyzer - Novell LANalyzerlogcat - Android Logcat Binary formatlogcat-brief - Android Logcat Brief text formatlogcat-long - Android Logcat Long text formatlogcat-process - Android Logcat Process text formatlogcat-tag - Android Logcat Tag text formatlogcat-thread - Android Logcat Thread text formatlogcat-threadtime - Android Logcat Threadtime text formatlogcat-time - Android Logcat Time text formatmodpcap - Modified tcpdump - pcapnetmon1 - Microsoft NetMon 1.xnetmon2 - Microsoft NetMon 2.xnettl - HP-UX nettl tracengsniffer - Sniffer (DOS)ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1ngwsniffer_2_0 - Sniffer (Windows) 2.00xnokiapcap - Nokia tcpdump - pcapnsecpcap - Wireshark/tcpdump/... - nanosecond pcapnstrace10 - NetScaler Trace (Version 1.0)nstrace20 - NetScaler Trace (Version 2.0)nstrace30 - NetScaler Trace (Version 3.0)nstrace35 - NetScaler Trace (Version 3.5)observer - Viavi Observerrf5 - Tektronix K12xx 32-bit .rf5 formatrh6_1pcap - RedHat 6.1 tcpdump - pcapsnoop - Sun snoopsuse6_3pcap - SuSE 6.3 tcpdump - pcapvisual - Visual Networks traffic capture
λ
λ mergecap -F pcap -w merge.pcap test01.pcapng test02.pcapng
λ capinfos -t merge.pcap
File name:           merge.pcap
File type:           Wireshark/tcpdump/... - pcap-I 选项，对接口描述块（IDB）设置合并模式。每个输入文件都有一个或多个IDB，它们描述最初执行捕获的接口，包括封装类型、接口名称等。当 mergecap 合并多个输入文件为新的合并输出文件时，它必须以某种方式将这些 IDB 合并。
目前可使用的模式有：none（不执行合并，只是将所有IDB复制到输出文件）、all（必须所有输入文件的IDB一样才合并，否则同none）、any（IDB一样的执行合并，再与不一样的IDB，一起复制到输出文件），默认为all。
λ mergecap -I none -w merge.pcap test01.pcapng test02.pcapng
λ capinfos merge.pcapng
File name:           merge.pcapng
File type:           Wireshark/... - pcapng
File encapsulation:  Ethernet
File timestamp precision:  microseconds (6)
Packet size limit:   file hdr: (not set)
Number of packets:   3
File size:           872 bytes
Data size:           186 bytes
Capture duration:    0.001654 seconds
First packet time:   2021-07-19 13:17:07.172339
Last packet time:    2021-07-19 13:17:07.173993
Data byte rate:      112 kBps
Data bit rate:       899 kbps
Average packet size: 62.00 bytes
Average packet rate: 1813 packets/s
SHA256:              c9cb0b8614a1e759fada597e788d53593be59d643b013265bf063abc4a7e3a7a
RIPEMD160:           53c882cf632e2782e811d61a02dc0776fa148ae6
SHA1:                36faf965e1f9fd1ff21097c21fa5acd67d1b2de0
Strict time order:   True
Capture oper-sys:    64-bit Windows 10 (1809), build 17763
Capture application: Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Capture comment:     Sanitized by TraceWrangler v0.6.8 build 949  File created by merging:  File1: test01.pcapng  File2: test02.pcapng
Number of interfaces in file: 2
Interface #0 info:Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}Description = Ethernet0Encapsulation = Ethernet (1 - ether)Capture length = 262144Time precision = microseconds (6)Time ticks per second = 1000000Time resolution = 0x06Operating system = 64-bit Windows 10 (1809), build 17763Number of stat entries = 0Number of packets = 2
Interface #1 info:Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}Description = Ethernet0Encapsulation = Ethernet (1 - ether)Capture length = 262144Time precision = microseconds (6)Time ticks per second = 1000000Time resolution = 0x06Operating system = 64-bit Windows 10 (1809), build 17763Number of stat entries = 0Number of packets = 1

Miscellaneous

杂项选项，主要包括以下：

Miscellaneous:-h, --help        display this help and exit.-V                verbose output.-v, --version     print version information and exit.λ mergecap -h
Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b)
Merge two or more capture files into one.
See https://www.wireshark.org for more information.Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]Output:-a                concatenate rather than merge files.default is to merge based on frame timestamps.-s <snaplen>      truncate packets to <snaplen> bytes of data.-w <outfile>|-    set the output filename to <outfile> or '-' for stdout.-F <capture type> set the output file type; default is pcapng.an empty "-F" option will list the file types.-I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'.an empty "-I" option will list the merge modes.Miscellaneous:-h, --help        display this help and exit.-V                verbose output.-v, --version     print version information and exit.λ mergecap -V
mergecap: an output filename must be set with -wrun with -h for help
λ mergecap -V -w merge.pcapng test01.pcapng test02.pcapng
mergecap: test01.pcapng is type Wireshark/... - pcapng.
mergecap: test02.pcapng is type Wireshark/... - pcapng.
mergecap: selected frame_type Ethernet (ether)
mergecap: ready to merge records
Record: 1
Record: 2
Record: 3
mergecap: merging completeλ mergecap -v
Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b).Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors.
Licensed under the terms of the GNU General Public License (version 2 or later).
This is free software; see the file named COPYING in the distribution. There is
NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332),
with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins.Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold
6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib
2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported.