On Tue, Apr 16, 2002 at 08:10:02PM -0400, Raghu Uppalli wrote:
> I have two raw tcpdump files with inbound and outbound traffic
> separated. I now need to merge them so as to run a tool like tcp-reduce.
> I did (on linux) : paste -d "\n" file1 file2
To quote the "paste" man page (on FreeBSD 3.4, but it's just a standard
UNIX command):
The paste utility concatenates the corresponding lines of the given
^^^^^
input files ...
"paste" works on files that are text files composed of lines.
Raw tcpdump files are *NOT* text files. You cannot use "paste" to merge
them.
> (i couldnt find a binary merge.)
Unfortunately, a binary merge is what you need - and not just any binary
merge, but one that knows about tcpdump files. Fortunately, there is
such a program; see below.
> When i do tcpdump -r file_new, i get a couple of lines and then get this
> error:
> tcpdump: pcap_loop: bogus savefile header.
>
> I guess the file's magic number is not recognized by tcpdump.
The file's magic number isn't the right magic number for a raw tcpdump
file; "paste" produced a file that's not a valid tcpdump file, because
"paste" works on text files, not raw tcpdump files.
> Is there a way to overcome this?
A way to get "paste" to combine raw tcpdump files? No.
> Or can i merge it in a differnet way.
Ethereal:
http://www.ethereal.com/
(it's free software, not a commercial product, the ".com"
nonwithstanding) comes with a tool "mergecap" which should be able to do
what you want:
% man mergecap
...
MERGECAP(1) The Ethereal Network Analyzer MERGECAP(1)
NAME
mergecap - Merges two capture files into one
SYNOPSYS
mergecap [ -hva ] [ -s snaplen ] [ -F file format ]
[ -T encapsulation type ] -w outfile infile ...
DESCRIPTION
Mergecap is a program that combines multiple saved capture
files into a single output file specified by the -w
argument. Mergecap knows how to read libpcap capture
files, including those of tcpdump, Ethereal, and other
tools that write captures in that format. ...
...
Packets from the input files are merged in chronological
order based on each frame's timestamp, unless the -a flag
is specified. Mergecap assumes that frames within a
single capture file are already stored in chronological
order. ...
...
You will need GLib 1.2[.x] on your machine. You won't need GTK+,
although you will have to configure with "--without-ethereal", as
Ethereal is a GUI application using the GTK+ toolkit.
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:[EMAIL PROTECTED]?body=unsubscribe
