Re: merge pcap from two interfaces

[luke devon via Wireshark-users <wireshark-users () wireshark org>]

 Hi Chris, 
Thank you for the information. I will have a look how to fix those extra steps in my requirements.
Thank you once again for your guidance and support.
BrLuke.


    On Monday, 14 May 2018, 12:15:18 AM GMT+8, Maynard, Chris <Christopher.Maynard () IGT com> wrote:  
 
  <!--#yiv2187847283 _filtered #yiv2187847283 {font-family:Helvetica;panose-1:2 11 6 4 2 2 2 2 2 4;} _filtered 
#yiv2187847283 {font-family:"Cambria Math";panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv2187847283 
{font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;} _filtered #yiv2187847283 {font-family:"New serif";panose-1:0 0 0 0 
0 0 0 0 0 0;}#yiv2187847283 #yiv2187847283 p.yiv2187847283MsoNormal, #yiv2187847283 li.yiv2187847283MsoNormal, 
#yiv2187847283 div.yiv2187847283MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:"Times New 
Roman", serif;}#yiv2187847283 a:link, #yiv2187847283 span.yiv2187847283MsoHyperlink 
{color:blue;text-decoration:underline;}#yiv2187847283 a:visited, #yiv2187847283 span.yiv2187847283MsoHyperlinkFollowed 
{color:purple;text-decoration:underline;}#yiv2187847283 p 
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:"Times New Roman", serif;}#yiv2187847283 
p.yiv2187847283msonormal, #yiv2187847283 li.yiv2187847283msonormal, #yiv2187847283 div.yiv2187847283msonormal 
{margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:"Times New Roman", serif;}#yiv2187847283 
p.yiv2187847283msochpdefault, #yiv2187847283 li.yiv2187847283msochpdefault, #yiv2187847283 
div.yiv2187847283msochpdefault {margin-right:0in;margin-left:0in;font-size:12.0pt;font-family:"Times New Roman", 
serif;}#yiv2187847283 span.yiv2187847283msohyperlink {}#yiv2187847283 span.yiv2187847283msohyperlinkfollowed 
{}#yiv2187847283 span.yiv2187847283emailstyle18 {}#yiv2187847283 p.yiv2187847283msonormal1, #yiv2187847283 
li.yiv2187847283msonormal1, #yiv2187847283 div.yiv2187847283msonormal1 
{margin:0in;margin-bottom:.0001pt;font-size:12.0pt;font-family:"New serif", serif;}#yiv2187847283 
span.yiv2187847283msohyperlink1 {color:blue;text-decoration:underline;}#yiv2187847283 
span.yiv2187847283msohyperlinkfollowed1 {color:purple;text-decoration:underline;}#yiv2187847283 
span.yiv2187847283emailstyle181 {font-family:"Arial", sans-serif;color:#002060;}#yiv2187847283 
p.yiv2187847283msochpdefault1, #yiv2187847283 li.yiv2187847283msochpdefault1, #yiv2187847283 
div.yiv2187847283msochpdefault1 {margin-right:0in;margin-left:0in;font-size:10.0pt;font-family:"Times New Roman", 
serif;}#yiv2187847283 span.yiv2187847283EmailStyle28 {font-family:"Calibri", sans-serif;color:#002060;}#yiv2187847283 
.yiv2187847283MsoChpDefault {font-size:10.0pt;} _filtered #yiv2187847283 {margin:1.0in 1.0in 1.0in 
1.0in;}#yiv2187847283 div.yiv2187847283WordSection1 {}-->
Neitherdumpcap nortshark support on-the-fly compression (yet)[1], so unfortunately you’ll have to somehow solve that 
problem yourself.
 
  
 
As for the timestamp, the format is fixed so if you want to change it, you’ll have to come up with your own solution 
here too.
 
  
 
- Chris
 
[1]:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9311
 
  
 
  
 
From: luke devon [mailto:luke_devon () yahoo com]
Sent: Sunday, May 13, 2018 6:00 AM
To: Community support list for Wireshark <wireshark-users () wireshark org>; Maynard, Chris <Christopher.Maynard () IGT 
com>
Subject: Re: [Wireshark-users] merge pcap from two interfaces
 
  
 
Hi Chris, 
 
  
 
I was able to execute the following command. syntaxes are same for the tshark and dumpcap.
 
  
 
dumpcap -i enp0s3 -i enp0s8 -b duration:15 -w /usr/etc/enp0s3_enp0s8.pcap 
 
  
 
output as follows;
 
  
 
enp0s3_enp0s8_00001_20180513174130.pcap
 
enp0s3_enp0s8_00002_20180513174145.pcap
 
  
 
every 15sec, the file name is rolling out.
 
  
 
1. Can you please guide me, how to make the file compressed? for example; enp0s3_enp0s8_00001_20180513174130.tar.gz
 
2. also can I change the format of the timestamp in the file name?  Something similar to this --> 
trace_%Y-%m-%d_%H-%M-%S.pcap
 
  
 
  
 
I was using following tcpdump command to capture, adding the timestamp and compressing the traces.
 
  
 
tcpdump -i eno2 -s 0 -G 15 -w '/test/Network_%Y-%m-%d_%H-%M-%S.pcap' -Z root -z gzip
 
  
 
But I cant use this command continuously as it has limitations to capture multiple interface same time in a single 
command.
 
  
 
Thanks & Regards
 
Luke.
 
  
 
  
 
  
 
On Sunday, 13 May 2018, 10:48:28 AM GMT+8, luke devon via Wireshark-users <wireshark-users () wireshark org> wrote: 
 
  
 
  
 
Hi Chris,
 
  
 
Thank you so much for the guidance.
 
  
 
May I know, can we use tshark to rotate the traces every 15 sec? and can we compress into tar.gz the completed dump?
 
  
 
Regards
 
Luke
 
  
 
On Sunday, 13 May 2018, 1:08:32 AM GMT+8, Maynard, Chris <Christopher.Maynard () IGT com> wrote:
 
  
 
  
 
Do you have to usetcpdump?  If you have tshark available, then you can capture on both interfaces at the same time 
without the need to merge separate capture files at all.  For example:
 
 
 
tshark -i eth0 -i eth1 –w eth0_eth1.pcapng
 
 
 
Refer to the tshark[1] (or dumpcap[2]) man pages for more information.
 
- Chris
 
[1]:https://www.wireshark.org/docs/man-pages/tshark.html
 
[2]:https://www.wireshark.org/docs/man-pages/dumpcap.html
 
 
 
 
 
From: Wireshark-users [mailto:wireshark-users-bounces () wireshark org]On Behalf Of luke devon via Wireshark-users
Sent: Saturday, May 12, 2018 8:17 AM
To: Community support list for Wireshark <wireshark-users () wireshark org>
Cc: luke devon <luke_devon () yahoo com>
Subject: Re: [Wireshark-users] merge pcap from two interfaces
 
 
 
Hi Abhik, 
 
 
 
 
 
Thank you for the reply.
 
 
 
The reason is, the server got few more interfaces too. I want to capture specifically etho and etho1, Not other 
interfaces. That's why I can't use "-i any".
 
 
 
Regards
 
Luke
 
 
 
On Saturday, 12 May 2018, 6:38:55 PM GMT+8, Abhik Sarkar <sarkar.abhik () gmail com> wrote:
 
 
 
 
 
Hi Luke,
 
You could use mergecap (https://www.wireshark.org/docs/wsug_html_chunked/AppToolsmergecap.html).
 
Alternately, run tcpdump with "-i any" to have the capture for all interfaces in the same file (unless you have good 
reason to keep them separate, of course).
 
Regards,
 
Abhik
 
 
 
On 12 May 2018 at 14:14, luke devon via Wireshark-users <wireshark-users () wireshark org> wrote:
 

Hi 
 
 
 
I have a server which has multiple ethernet interfaces and carrying network traffic to the system. every 15sec, roll 
out to the next tcpdump. Likewise, it will generate 4 - pcap file in a minute. 
 
 
 
eth0 will generate 4 pcap files
 
eth1 will generate 4 pap files.
 
 
 
I wanna merge respective etho and eth1 files by matching with the time stamp.
 
 
 
can it be done? Please help.
 
 
 
Thank you
 
Luke 
 
 
 
  
 
 
 
 
 
 
 
 
 
 
 

CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and 
may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the 
addressee.  If you are not the intended recipient and have received this message in error, please delete this message 
from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is 
strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe