-
Wireshark CLI | Mergecap 篇
简介
Mergecap 是 Wireshark 程序安装时附带的可选工具之一,用于合并数据包文件的命令行工具。
mergecap [ -a ] [ -F <file format> ] [ -I <IDB merge mode> ] [ -s <snaplen> ] [ -V ] -w <outfile>|- <infile> [<infile> …] mergecap -h|--help mergecap -v|--version- 1
- 2
- 3
- 4
- 5
描述
Mergecap 是一个可以将多个保存的捕获文件合并到一个由 -w 参数指定的输出文件的程序。Mergecap 知道如何读取 pcap 和 pcapng 捕获文件,包括 tcpdump、wireshark 和其他以这些格式写入捕获的工具。
默认情况下,Mergecap 以 pcapng 格式写入捕获文件,并将输入捕获文件中的所有数据包写入输出文件。
Mergecap 能够检测、读写 Wireshark 支持的相同捕获文件。输入文件不需要特定的文件名扩展名;文件格式和可选的 gzip, zstd 或 lz4 压缩将被自动检测。
Mergecap 可以用几种输出格式写入文件。-F 标志可用于指定写入捕获文件的格式,mergecap -F 提供可用输出格式的列表。
选项
λ mergecap -h Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b) Merge two or more capture files into one. See https://www.wireshark.org for more information. Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] Output: -a concatenate rather than merge files. default is to merge based on frame timestamps. -s <snaplen> truncate packets to <snaplen> bytes of data. -w <outfile>|- set the output filename to <outfile> or '-' for stdout. -F <capture type> set the output file type; default is pcapng. an empty "-F" option will list the file types. -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. an empty "-I" option will list the merge modes. Miscellaneous: -h, --help display this help and exit. -V verbose output. -v, --version print version information and exit.- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
实例
以下以实例讲解各选项的作用,测试跟踪文件主要信息如下,其中 test.pcapng 文件数据包数量 3 个,为 TCP 三次握手数据包,分拆成两个数据包文件,No.1 SYN 和 No.3 ACK 为 test01.pcpang,No.2 SYN/ACK 为 test02.pcapng。
λ capinfos test.pcapng File name: test.pcapng File type: Wireshark/... - pcapng File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: (not set) Number of packets: 3 File size: 600 bytes Data size: 186 bytes Capture duration: 0.001654 seconds First packet time: 2021-07-19 13:17:07.172339 Last packet time: 2021-07-19 13:17:07.173993 Data byte rate: 112 kBps Data bit rate: 899 kbps Average packet size: 62.00 bytes Average packet rate: 1813 packets/s SHA256: 5f618074fa1fbc83fbb113b42ae6fa3e0b7fdb86441b930d0d71842e96b4b521 RIPEMD160: 922b130ccc3bda159bfa399b494da089ef2e50fe SHA1: c0d507e9ff122135a3e20e3920649bce636c8726 Strict time order: True Capture application: Sanitized by TraceWrangler v0.6.8 build 949 Capture comment: Sanitized by TraceWrangler v0.6.8 build 949 Number of interfaces in file: 1 Interface #0 info: Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721} Description = Ethernet0 Encapsulation = Ethernet (1 - ether) Capture length = 262144 Time precision = microseconds (6) Time ticks per second = 1000000 Time resolution = 0x06 Operating system = 64-bit Windows 10 (1809), build 17763 Number of stat entries = 0 Number of packets = 3 λ capinfos test0*.pcapng File name: test01.pcapng File type: Wireshark/... - pcapng File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: (not set) Number of packets: 2 File size: 488 bytes Data size: 120 bytes Capture duration: 0.001654 seconds First packet time: 2021-07-19 13:17:07.172339 Last packet time: 2021-07-19 13:17:07.173993 Data byte rate: 72 kBps Data bit rate: 580 kbps Average packet size: 60.00 bytes Average packet rate: 1209 packets/s SHA256: 7f73fa4cee113507fb13bfea6c3d588d16ce62455dba84967b6c7e9ff5f119f9 RIPEMD160: 99c63e7b258156ca52332607170060514a05374c SHA1: 0e73dc6d560a1ed7a94ba3639d04e268ed58e8a9 Strict time order: True Capture application: Sanitized by TraceWrangler v0.6.8 build 949 Capture comment: Sanitized by TraceWrangler v0.6.8 build 949 Number of interfaces in file: 1 Interface #0 info: Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721} Description = Ethernet0 Encapsulation = Ethernet (1 - ether) Capture length = 262144 Time precision = microseconds (6) Time ticks per second = 1000000 Time resolution = 0x06 Operating system = 64-bit Windows 10 (1809), build 17763 Number of stat entries = 0 Number of packets = 2 File name: test02.pcapng File type: Wireshark/... - pcapng File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: (not set) Number of packets: 1 File size: 388 bytes Data size: 66 bytes Capture duration: 0.000000 seconds First packet time: 2021-07-19 13:17:07.173872 Last packet time: 2021-07-19 13:17:07.173872 Data byte rate: 0 bytes/s Data bit rate: 0 bits/s Average packet size: 66.00 bytes Average packet rate: 0 packets/s SHA256: 6c52de6c914bfcefab0f06773fffa2e3a6d6e29be580cf857a7af03cfac12a64 RIPEMD160: 0d1daa946a757cd6f57a3a97c87753f93a88bbf3 SHA1: 623955ea30d52e85dce3e92b963c1440a11b7ed6 Strict time order: True Capture application: Sanitized by TraceWrangler v0.6.8 build 949 Capture comment: Sanitized by TraceWrangler v0.6.8 build 949 Number of interfaces in file: 1 Interface #0 info: Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721} Description = Ethernet0 Encapsulation = Ethernet (1 - ether) Capture length = 262144 Time precision = microseconds (6) Time ticks per second = 1000000 Time resolution = 0x06 Operating system = 64-bit Windows 10 (1809), build 17763 Number of stat entries = 0 Number of packets = 1 λ tshark -r test.pcapng 1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 2 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM 3 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0 λ tshark -r test01.pcapng 1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 2 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0 λ tshark -r test02.pcapng 1 0.000000 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
Output
输出选项,主要包括以下:
Output: -a concatenate rather than merge files. default is to merge based on frame timestamps. -s <snaplen> truncate packets to <snaplen> bytes of data. -w <outfile>|- set the output filename to <outfile> or '-' for stdout. -F <capture type> set the output file type; default is pcapng. an empty "-F" option will list the file types. -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. an empty "-I" option will list the merge modes. 默认合并方式是基于数据帧的时间戳。示例中合并 test01 和 test02 后即与 test 相同。 λ mergecap -w merge.pcapng test01.pcapng test02.pcapng λ tshark -r merge.pcapng 1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 2 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM 3 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0 -a 选项,连接而不是合并文件。 λ mergecap -a -w merge.pcapng test01.pcapng test02.pcapng λ tshark -r merge.pcapng 1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM 2 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0 3 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM -s 选项,截断数据包数据长度。 λ mergecap -s 40 -w merge.pcapng test01.pcapng test02.pcapng λ capinfos -l merge.pcapng File name: merge.pcapng Packet size limit: file hdr: (not set) Packet size limit: inferred: 40 bytes -w 选项,设置输出文件名字。 λ mergecap -w merge.pcapng test01.pcapng test02.pcapng -F 选项,设置输出文件类型,默认是 pcapng。 λ mergecap -F mergecap: option requires an argument: F mergecap: The available capture file types for the "-F" flag are: pcap - Wireshark/tcpdump/... - pcap pcapng - Wireshark/... - pcapng 5views - InfoVista 5View capture btsnoop - Symbian OS btsnoop commview-ncf - TamoSoft CommView NCF commview-ncfx - TamoSoft CommView NCFX dct2000 - Catapult DCT2000 trace (.out format) erf - Endace ERF capture eyesdn - EyeSDN USB S0/E1 ISDN trace format k12text - K12 text file lanalyzer - Novell LANalyzer logcat - Android Logcat Binary format logcat-brief - Android Logcat Brief text format logcat-long - Android Logcat Long text format logcat-process - Android Logcat Process text format logcat-tag - Android Logcat Tag text format logcat-thread - Android Logcat Thread text format logcat-threadtime - Android Logcat Threadtime text format logcat-time - Android Logcat Time text format modpcap - Modified tcpdump - pcap netmon1 - Microsoft NetMon 1.x netmon2 - Microsoft NetMon 2.x nettl - HP-UX nettl trace ngsniffer - Sniffer (DOS) ngwsniffer_1_1 - NetXray, Sniffer (Windows) 1.1 ngwsniffer_2_0 - Sniffer (Windows) 2.00x nokiapcap - Nokia tcpdump - pcap nsecpcap - Wireshark/tcpdump/... - nanosecond pcap nstrace10 - NetScaler Trace (Version 1.0) nstrace20 - NetScaler Trace (Version 2.0) nstrace30 - NetScaler Trace (Version 3.0) nstrace35 - NetScaler Trace (Version 3.5) observer - Viavi Observer rf5 - Tektronix K12xx 32-bit .rf5 format rh6_1pcap - RedHat 6.1 tcpdump - pcap snoop - Sun snoop suse6_3pcap - SuSE 6.3 tcpdump - pcap visual - Visual Networks traffic capture λ λ mergecap -F pcap -w merge.pcap test01.pcapng test02.pcapng λ capinfos -t merge.pcap File name: merge.pcap File type: Wireshark/tcpdump/... - pcap -I 选项,对接口描述块(IDB)设置合并模式。每个输入文件都有一个或多个IDB,它们描述最初执行捕获的接口,包括封装类型、接口名称等。当 mergecap 合并多个输入文件为新的合并输出文件时,它必须以某种方式将这些 IDB 合并。 目前可使用的模式有:none(不执行合并,只是将所有IDB复制到输出文件)、all(必须所有输入文件的IDB一样才合并,否则同none)、any(IDB一样的执行合并,再与不一样的IDB,一起复制到输出文件),默认为all。 λ mergecap -I none -w merge.pcap test01.pcapng test02.pcapng λ capinfos merge.pcapng File name: merge.pcapng File type: Wireshark/... - pcapng File encapsulation: Ethernet File timestamp precision: microseconds (6) Packet size limit: file hdr: (not set) Number of packets: 3 File size: 872 bytes Data size: 186 bytes Capture duration: 0.001654 seconds First packet time: 2021-07-19 13:17:07.172339 Last packet time: 2021-07-19 13:17:07.173993 Data byte rate: 112 kBps Data bit rate: 899 kbps Average packet size: 62.00 bytes Average packet rate: 1813 packets/s SHA256: c9cb0b8614a1e759fada597e788d53593be59d643b013265bf063abc4a7e3a7a RIPEMD160: 53c882cf632e2782e811d61a02dc0776fa148ae6 SHA1: 36faf965e1f9fd1ff21097c21fa5acd67d1b2de0 Strict time order: True Capture oper-sys: 64-bit Windows 10 (1809), build 17763 Capture application: Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b) Capture comment: Sanitized by TraceWrangler v0.6.8 build 949 File created by merging: File1: test01.pcapng File2: test02.pcapng Number of interfaces in file: 2 Interface #0 info: Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721} Description = Ethernet0 Encapsulation = Ethernet (1 - ether) Capture length = 262144 Time precision = microseconds (6) Time ticks per second = 1000000 Time resolution = 0x06 Operating system = 64-bit Windows 10 (1809), build 17763 Number of stat entries = 0 Number of packets = 2 Interface #1 info: Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721} Description = Ethernet0 Encapsulation = Ethernet (1 - ether) Capture length = 262144 Time precision = microseconds (6) Time ticks per second = 1000000 Time resolution = 0x06 Operating system = 64-bit Windows 10 (1809), build 17763 Number of stat entries = 0 Number of packets = 1- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
Miscellaneous
杂项选项,主要包括以下:
Miscellaneous: -h, --help display this help and exit. -V verbose output. -v, --version print version information and exit. λ mergecap -h Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b) Merge two or more capture files into one. See https://www.wireshark.org for more information. Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...] Output: -a concatenate rather than merge files. default is to merge based on frame timestamps. -s <snaplen> truncate packets to <snaplen> bytes of data. -w <outfile>|- set the output filename to <outfile> or '-' for stdout. -F <capture type> set the output file type; default is pcapng. an empty "-F" option will list the file types. -I <IDB merge mode> set the merge mode for Interface Description Blocks; default is 'all'. an empty "-I" option will list the merge modes. Miscellaneous: -h, --help display this help and exit. -V verbose output. -v, --version print version information and exit. λ mergecap -V mergecap: an output filename must be set with -w run with -h for help λ mergecap -V -w merge.pcapng test01.pcapng test02.pcapng mergecap: test01.pcapng is type Wireshark/... - pcapng. mergecap: test02.pcapng is type Wireshark/... - pcapng. mergecap: selected frame_type Ethernet (ether) mergecap: ready to merge records Record: 1 Record: 2 Record: 3 mergecap: merging complete λ mergecap -v Mergecap (Wireshark) 4.0.0 (v4.0.0-0-g0cbe09cd796b). Copyright 1998-2022 Gerald Combs <gerald@wireshark.org> and contributors. Licensed under the terms of the GNU General Public License (version 2 or later). This is free software; see the file named COPYING in the distribution. There is NO WARRANTY; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332), with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with binary plugins. Running on 64-bit Windows 10 (1809), build 17763, with Intel(R) Xeon(R) Gold 6242R CPU @ 3.10GHz (with SSE4.2), with 16382 MB of physical memory, with GLib 2.72.3, with PCRE2 10.40 2022-04-14, with LC_TYPE=C, binary plugins supported.- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
-
相关阅读:
win11设置固定IP
mmrotate旋转目标检测框架使用记录
单例模式的介绍和五种写法
《Java基础知识》Java 反射详解
【深入MaxCompute】人力家:借助Information Schema合理治理费用
数字媒体技术基础之:常见图片文件格式
学习教授LLM逻辑推理11.19
大数据之LibrA数据库常见术语(一)
japonensisjava乱码_Java乱码问题原因及解决方案
WIN11+OPENCV4.8 编译及下载失败处理方法
- 原文地址:https://blog.csdn.net/weixin_47627078/article/details/133817072
