≡ Menu

Mergecap and Tshark: Merge Packet Dumps and Analyze Network Traffic

Network Switch with Ethernet Cables
Photo courtesy of Michael_P

This article is written by Balakrishnan M
 
A while back we reviewed 11 examples on how to use editcap utility to capture network dumps. In this article, let us review mergecap utility and tshark commands.
 
Mergecap is a packet dump combining tool, which will combine multiple dumps into a single dump file. Based on timestamp, the packets are written into the output file in an orderly manner. By default the output file is written in the libpcap format. However using mergecap options, we can generate output in various different format including those that are supported by wireshark tool.

mergecap is available in the wireshark package. Make sure wireshark/ethereal package is installed to use the mergecap.

Combine two dump files into a single output_dump file

Combines input_dump1 and input_dump2 capture files and writes into output_dump file.

# mergecap -v input_dump1 input_dump2 -w output_dump

 

In this example, input_dump2 contains the packets which are captured after input_dump1. The output_dump will contain intput_dump2 packets in the beginning followed by intput_dump1 packets.

# mergecap input_dump1 input_dump2 -w output_dump -a

Print output dump file to standard output

Combine two network dump files and print the output to the standard output instead of writing to a file.

# mergecap -v input1_dump input2_dump -w -

Print output file in a specific encapsulation format

Use option -T, to get the output file in the desired encapsulation format as shown below.

# mergecap -v -T ether -w merge_cap capture1 capture2 capture3

3. Merge packets of certain length

In this example, the output_dump contains the packets of maximum 100 bytes length.

# mergecap -v -s 100 dump1 dump2 dump3 -w output_dump

Tshark – Packet capture tool

Tshark is a powerful tool to capture network packets, which can be used to analyze the network traffic. It comes with wireshark network analyzer distribution.
 

Capture network capture continuously

The following example will capture the network packets continuously for 60 seconds. After 60 seconds of capture, it would stop automatically. capture_out contains the packets, which are flown in the network during the last 60 seconds.

# tshark -q -w capture_out -a duration:60

 
In the following example packets will be printed on the screen and simultaneously it will be written into the output file.

# tshark -S -q -w capture_out -a duration:10

Capture network statistics using tshark

To see how many packets are flowing in the network for a specific interval use the following command.

# tshark -q -w capture_duration1 -a duration:1 -z io,stat,1

Capture network packets for a specific host

Use the following example, to capture the packet flow for a particular host(transmitted and received packets). In this example, we could see that for every second how many packets are flown in the network for the host 192.168.1.185

#  tshark -S -q -w capture_duration6 -a duration:6 -z io,stat,1,ip.addr==192.168.1.150
After capturing all the packets for 6 seconds duration, it will print the statistics as like the following,
145 packets dropped
19749 packets captured
IO Statistics
Interval: 1.000 secs
Column #0: ip.addr==192.168.1.185
|   Column #0
Time       	      |frames|  bytes
000.000-001.000    2733    545242
001.000-002.000    2991    583374
002.000-003.000    3310    650716
003.000-004.000    3236    641896
004.000-005.000    3518    690860
005.000-006.000    3310    654988
006.000-007.000     638    122812

Capture network packets on a specific port

This example captures only the ssh packets.

# tshark -f “tcp port 22” -w capture_out

Capture network packets for specific duration

The following example will capture packets for specific duration (5 seconds), switch over to the next file when capture file size reaches certain size (1000KB).

# tshark -a filesize:1000 -a duration:5 -a files:5 -w ethcap1

Sample output capture filename with size:

ethcap1_00001_20090216174203 -   1000K
ethcap1_00002_20090216174205 -  1000K
ethcap1_00003_20090216174207 -  835K

Other tshark capture commands

Use option -c, to capture the packets upto certain packet count. The following example creates the ethcap1 file only with 10 packets.

# tshark -c 10  -w ethcap1

 

Use option -r to read network packets from as compressed file.

# tshark -r capture_dump.gz

 

Use option -r, to displays only specific packet types. The following example creates the file capture_dump only with the rtp packets in the network analyzer.

# tshark -R “rtp” -r capture_dump

 

Use the filter below to capture the tcp packets which are flowing in the port 1720.

# tshark -f “tcp port 1720”

 
The following example will capture packets that are coming either to the port 1720 or 1721.

# tshark -f  “port 1720 or port 1721”	 -w capture_dump

 

By default, tshark will use eth0 device to do the packet capture. You can also specify a specific ethernet adapter using option -i as shown below.

# tshark -i eth1 -w -a duration:10 capture_dump

 

This article was written by Balakrishnan Mariyappan. He is working in bk Systems (p) Ltd, and interested in contributing to the open source. The Geek Stuff welcomes your tips and guest articles.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Aravind June 10, 2009, 2:15 am

    How do i find the packet length??