forked from osmocom/wireshark
same command line related changes as recently done with editcap
svn path=/trunk/; revision=16994
This commit is contained in:
parent
ae477dc44f
commit
41c3bca696
201
doc/mergecap.pod
201
doc/mergecap.pod
|
@ -6,12 +6,14 @@ mergecap - Merges two or more capture files into one
|
||||||
=head1 SYNOPSYS
|
=head1 SYNOPSYS
|
||||||
|
|
||||||
B<mergecap>
|
B<mergecap>
|
||||||
S<[ B<-hva> ]>
|
S<[ B<-a> ]>
|
||||||
S<[ B<-s> I<snaplen> ]>
|
S<[ B<-F> E<lt>I<file format>E<gt> ]>
|
||||||
S<[ B<-F> I<file format> ]>
|
S<[ B<-h> ]>
|
||||||
S<[ B<-T> I<encapsulation type> ]>
|
S<[ B<-s> E<lt>I<snaplen>E<gt> ]>
|
||||||
S<B<-w> I<outfile>|->
|
S<[ B<-T> E<lt>I<encapsulation type>E<gt> ]>
|
||||||
I<infile>
|
S<[ B<-v> ]>
|
||||||
|
S<B<-w> E<lt>I<outfile>E<gt>|->
|
||||||
|
E<lt>I<infile>E<gt>
|
||||||
I<...>
|
I<...>
|
||||||
|
|
||||||
=head1 DESCRIPTION
|
=head1 DESCRIPTION
|
||||||
|
@ -21,7 +23,98 @@ a single output file specified by the B<-w> argument. B<Mergecap> knows
|
||||||
how to read B<libpcap> capture files, including those of B<tcpdump>,
|
how to read B<libpcap> capture files, including those of B<tcpdump>,
|
||||||
B<Ethereal>, and other tools that write captures in that format.
|
B<Ethereal>, and other tools that write captures in that format.
|
||||||
|
|
||||||
B<Mergecap> can read / import the following file formats:
|
By default, it writes the capture file in B<libpcap> format, and writes
|
||||||
|
all of the packets in both input capture files to the output file.
|
||||||
|
|
||||||
|
Packets from the input files are merged in chronological order based on
|
||||||
|
each frame's timestamp, unless the B<-a> flag is specified. B<Mergecap>
|
||||||
|
assumes that frames within a single capture file are already stored in
|
||||||
|
chronological order. When the B<-a> flag is specified, packets are
|
||||||
|
copied directly from each input file to the output file, independent of
|
||||||
|
each frame's timestamp.
|
||||||
|
|
||||||
|
The output file frame encapsulation type is set to the type of the input
|
||||||
|
files, if all input files have the same type. If not all of the input
|
||||||
|
files have the same frame encapsulation type, the output file type is
|
||||||
|
set to WTAP_ENCAP_PER_PACKET. Note that some capture file formats, most
|
||||||
|
notably B<libpcap>, do not currently support WTAP_ENCAP_PER_PACKET.
|
||||||
|
This combination will cause the output file creation to fail.
|
||||||
|
|
||||||
|
=head1 OPTIONS
|
||||||
|
|
||||||
|
=over 4
|
||||||
|
|
||||||
|
=item -a
|
||||||
|
|
||||||
|
Causes the frame timestamps to be ignored, writing all packets from the
|
||||||
|
first input file followed by all packets from the second input file. By
|
||||||
|
default, when B<-a> is not specified, the contents of the input files
|
||||||
|
are merged in chronological order based on each frame's timestamp.
|
||||||
|
|
||||||
|
Note: when merging, B<mergecap> assumes that packets within a capture
|
||||||
|
file are already in chronological order.
|
||||||
|
|
||||||
|
=item -F E<lt>file formatE<gt>
|
||||||
|
|
||||||
|
Sets the file format of the output capture file. B<Mergecap> can write
|
||||||
|
the file in several formats, B<mergecap -F> provides a list of the
|
||||||
|
available output formats. The default is to use the file format of the
|
||||||
|
first input file.
|
||||||
|
|
||||||
|
=item -h
|
||||||
|
|
||||||
|
Prints the version and options and exits.
|
||||||
|
|
||||||
|
=item -s E<lt>snaplenE<gt>
|
||||||
|
|
||||||
|
Sets the snapshot length to use when writing the data.
|
||||||
|
If the B<-s> flag is used to specify a snapshot length, frames in the
|
||||||
|
input file with more captured data than the specified snapshot length
|
||||||
|
will have only the amount of data specified by the snapshot length
|
||||||
|
written to the output file. This may be useful if the program that is
|
||||||
|
to read the output file cannot handle packets larger than a certain size
|
||||||
|
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
|
||||||
|
appear to reject Ethernet frames larger than the standard Ethernet MTU,
|
||||||
|
making them incapable of handling gigabit Ethernet captures if jumbo
|
||||||
|
frames were used).
|
||||||
|
|
||||||
|
=item -v
|
||||||
|
|
||||||
|
Causes B<mergecap> to print a number of messages while it's working.
|
||||||
|
|
||||||
|
=item -w E<lt>outfileE<gt>|-
|
||||||
|
|
||||||
|
Sets the output filename. If the name is 'B<->', stdout will be used.
|
||||||
|
This setting is mandatory.
|
||||||
|
|
||||||
|
=item -T E<lt>encapsulation typeE<gt>
|
||||||
|
|
||||||
|
Sets the packet encapsulation type of the output capture file.
|
||||||
|
If the B<-T> flag is used to specify a frame encapsulation type, the
|
||||||
|
encapsulation type of the output capture file will be forced to the
|
||||||
|
specified type, rather than being the type appropriate to the
|
||||||
|
encapsulation type of the input capture files.
|
||||||
|
|
||||||
|
Note that this merely
|
||||||
|
forces the encapsulation type of the output file to be the specified
|
||||||
|
type; the packet headers of the packets will not be translated from the
|
||||||
|
encapsulation type of the input capture file to the specified
|
||||||
|
encapsulation type (for example, it will not translate an Ethernet
|
||||||
|
capture to an FDDI capture if an Ethernet capture is read and 'B<-T
|
||||||
|
fddi>' is specified).
|
||||||
|
|
||||||
|
=back
|
||||||
|
|
||||||
|
=head1 CAPTURE FILE FORMATS
|
||||||
|
|
||||||
|
There is no need to tell B<Mergecap> what type of
|
||||||
|
file you are reading; it will determine the file type by itself.
|
||||||
|
|
||||||
|
B<Mergecap> is also capable of reading any of these file formats if they
|
||||||
|
are compressed using gzip. B<Mergecap> recognizes this directly from
|
||||||
|
the file; the '.gz' extension is not required for this purpose.
|
||||||
|
|
||||||
|
The following I<input> file formats are supported:
|
||||||
|
|
||||||
=over 4
|
=over 4
|
||||||
|
|
||||||
|
@ -105,96 +198,10 @@ Linux Bluez Bluetooth stack B<hcidump -w> traces
|
||||||
|
|
||||||
=back
|
=back
|
||||||
|
|
||||||
There is no need to tell B<Mergecap> what type of
|
B<Mergecap> can write the file in several output formats.
|
||||||
file you are reading; it will determine the file type by itself.
|
The B<-F> flag can be used to specify the format in which to write the
|
||||||
B<Mergecap> is also capable of reading any of these file formats if they
|
capture file, B<mergecap -F> provides a list of the available output
|
||||||
are compressed using gzip. B<Mergecap> recognizes this directly from
|
formats.
|
||||||
the file; the '.gz' extension is not required for this purpose.
|
|
||||||
|
|
||||||
By default, it writes the capture file in B<libpcap> format, and writes
|
|
||||||
all of the packets in both input capture files to the output file. The
|
|
||||||
B<-F> flag can be used to specify the format in which to write the
|
|
||||||
capture file; it can write the file in B<libpcap> format (standard
|
|
||||||
B<libpcap> format, a modified format used by some patched versions of
|
|
||||||
B<libpcap>, the format used by Red Hat Linux 6.1, or the format used by
|
|
||||||
SuSE Linux 6.3), B<snoop> format, uncompressed B<Sniffer> format,
|
|
||||||
Microsoft B<Network Monitor> 1.x format, the format used by
|
|
||||||
Windows-based versions of the B<Sniffer> software, and the format used
|
|
||||||
by Visual Networks' software.
|
|
||||||
|
|
||||||
Packets from the input files are merged in chronological order based on
|
|
||||||
each frame's timestamp, unless the B<-a> flag is specified. B<Mergecap>
|
|
||||||
assumes that frames within a single capture file are already stored in
|
|
||||||
chronological order. When the B<-a> flag is specified, packets are
|
|
||||||
copied directly from each input file to the output file, independent of
|
|
||||||
each frame's timestamp.
|
|
||||||
|
|
||||||
If the B<-s> flag is used to specify a snapshot length, frames in the
|
|
||||||
input file with more captured data than the specified snapshot length
|
|
||||||
will have only the amount of data specified by the snapshot length
|
|
||||||
written to the output file. This may be useful if the program that is
|
|
||||||
to read the output file cannot handle packets larger than a certain size
|
|
||||||
(for example, the versions of snoop in Solaris 2.5.1 and Solaris 2.6
|
|
||||||
appear to reject Ethernet frames larger than the standard Ethernet MTU,
|
|
||||||
making them incapable of handling gigabit Ethernet captures if jumbo
|
|
||||||
frames were used).
|
|
||||||
|
|
||||||
The output file frame encapsulation type is set to the type of the input
|
|
||||||
files, if all input files have the same type. If not all of the input
|
|
||||||
files have the same frame encapsulation type, the output file type is
|
|
||||||
set to WTAP_ENCAP_PER_PACKET. Note that some capture file formats, most
|
|
||||||
notably B<libpcap>, do not currently support WTAP_ENCAP_PER_PACKET.
|
|
||||||
This combination will cause the output file creation to fail.
|
|
||||||
|
|
||||||
If the B<-T> flag is used to specify a frame encapsulation type, the
|
|
||||||
encapsulation type of the output capture file will be forced to the
|
|
||||||
specified type, rather than being the type appropriate to the
|
|
||||||
encapsulation type of the input capture files. Note that this merely
|
|
||||||
forces the encapsulation type of the output file to be the specified
|
|
||||||
type; the packet headers of the packets will not be translated from the
|
|
||||||
encapsulation type of the input capture file to the specified
|
|
||||||
encapsulation type (for example, it will not translate an Ethernet
|
|
||||||
capture to an FDDI capture if an Ethernet capture is read and 'B<-T
|
|
||||||
fddi>' is specified).
|
|
||||||
|
|
||||||
=head1 OPTIONS
|
|
||||||
|
|
||||||
=over 4
|
|
||||||
|
|
||||||
=item -w
|
|
||||||
|
|
||||||
Sets the output filename. If the name is 'B<->', stdout will be used.
|
|
||||||
|
|
||||||
=item -F
|
|
||||||
|
|
||||||
Sets the file format of the output capture file.
|
|
||||||
|
|
||||||
=item -T
|
|
||||||
|
|
||||||
Sets the packet encapsulation type of the output capture file.
|
|
||||||
|
|
||||||
=item -a
|
|
||||||
|
|
||||||
Causes the frame timestamps to be ignored, writing all packets from the
|
|
||||||
first input file followed by all packets from the second input file. By
|
|
||||||
default, when B<-a> is not specified, the contents of the input files
|
|
||||||
are merged in chronological order based on each frame's timestamp.
|
|
||||||
Note: when merging, B<mergecap> assumes that packets within a capture
|
|
||||||
file are already in chronological order.
|
|
||||||
|
|
||||||
=item -v
|
|
||||||
|
|
||||||
Causes B<mergecap> to print a number of messages while it's working.
|
|
||||||
|
|
||||||
=item -s
|
|
||||||
|
|
||||||
Sets the snapshot length to use when writing the data.
|
|
||||||
|
|
||||||
=item -h
|
|
||||||
|
|
||||||
Prints the version and options and exits.
|
|
||||||
|
|
||||||
=back
|
|
||||||
|
|
||||||
=head1 SEE ALSO
|
=head1 SEE ALSO
|
||||||
|
|
||||||
|
|
77
mergecap.c
77
mergecap.c
|
@ -86,32 +86,55 @@ get_positive_int(const char *string, const char *name)
|
||||||
static void
|
static void
|
||||||
usage(void)
|
usage(void)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
fprintf(stderr, "Mergecap %s"
|
||||||
|
#ifdef SVNVERSION
|
||||||
|
" (" SVNVERSION ")"
|
||||||
|
#endif
|
||||||
|
"\n", VERSION);
|
||||||
|
fprintf(stderr, "Merge two or more capture files into one.\n");
|
||||||
|
fprintf(stderr, "See http://www.ethereal.com for more information.\n");
|
||||||
|
fprintf(stderr, "\n");
|
||||||
|
fprintf(stderr, "Usage: mergecap [options] -w <outfile|-> <infile> ...\n");
|
||||||
|
fprintf(stderr, "\n");
|
||||||
|
fprintf(stderr, "Output:\n");
|
||||||
|
fprintf(stderr, " -a files should be concatenated, not merged\n");
|
||||||
|
fprintf(stderr, " Default merges based on frame timestamps\n");
|
||||||
|
fprintf(stderr, " -s <snaplen> truncate packets to <snaplen> bytes of data\n");
|
||||||
|
fprintf(stderr, " -w <outfile|-> set the output filename to <outfile> or '-' for stdout\n");
|
||||||
|
fprintf(stderr, " -F <capture type> set the output file type, default is libpcap\n");
|
||||||
|
fprintf(stderr, " an empty \"-F\" option will list the file types\n");
|
||||||
|
fprintf(stderr, " -T <encap type> set the output file encapsulation type,\n");
|
||||||
|
fprintf(stderr, " default is the same as the first input file\n");
|
||||||
|
fprintf(stderr, " an empty \"-T\" option will list the encapsulation types\n");
|
||||||
|
fprintf(stderr, "\n");
|
||||||
|
fprintf(stderr, "Miscellaneous:\n");
|
||||||
|
fprintf(stderr, " -h display this help and exit\n");
|
||||||
|
fprintf(stderr, " -v verbose output\n");
|
||||||
|
}
|
||||||
|
|
||||||
|
static void list_capture_types(void) {
|
||||||
|
int i;
|
||||||
|
|
||||||
|
fprintf(stderr, "editcap: The available capture file types for \"F\":\n");
|
||||||
|
for (i = 0; i < WTAP_NUM_FILE_TYPES; i++) {
|
||||||
|
if (wtap_dump_can_open(i))
|
||||||
|
fprintf(stderr, " %s - %s\n",
|
||||||
|
wtap_file_type_short_string(i), wtap_file_type_string(i));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void list_encap_types(void) {
|
||||||
int i;
|
int i;
|
||||||
const char *string;
|
const char *string;
|
||||||
|
|
||||||
printf("Usage: mergecap [-hva] [-s <snaplen>] [-T <encap type>]\n");
|
fprintf(stderr, "editcap: The available encapsulation types for \"T\":\n");
|
||||||
printf(" [-F <capture type>] -w <outfile> <infile> [...]\n\n");
|
|
||||||
printf(" where\t-h produces this help listing.\n");
|
|
||||||
printf(" \t-v verbose operation, default is silent\n");
|
|
||||||
printf(" \t-a files should be concatenated, not merged\n");
|
|
||||||
printf(" \t Default merges based on frame timestamps\n");
|
|
||||||
printf(" \t-s <snaplen>: truncate packets to <snaplen> bytes of data\n");
|
|
||||||
printf(" \t-w <outfile>: sets output filename to <outfile>\n");
|
|
||||||
printf(" \t-T <encap type> encapsulation type to use:\n");
|
|
||||||
for (i = 0; i < WTAP_NUM_ENCAP_TYPES; i++) {
|
for (i = 0; i < WTAP_NUM_ENCAP_TYPES; i++) {
|
||||||
string = wtap_encap_short_string(i);
|
string = wtap_encap_short_string(i);
|
||||||
if (string != NULL)
|
if (string != NULL)
|
||||||
printf(" \t %s - %s\n",
|
fprintf(stderr, " %s - %s\n",
|
||||||
string, wtap_encap_string(i));
|
string, wtap_encap_string(i));
|
||||||
}
|
}
|
||||||
printf(" \t default is the same as the first input file\n");
|
|
||||||
printf(" \t-F <capture type> capture file type to write:\n");
|
|
||||||
for (i = 0; i < WTAP_NUM_FILE_TYPES; i++) {
|
|
||||||
if (wtap_dump_can_open(i))
|
|
||||||
printf(" \t %s - %s\n",
|
|
||||||
wtap_file_type_short_string(i), wtap_file_type_string(i));
|
|
||||||
}
|
|
||||||
printf(" \t default is libpcap\n");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
|
@ -156,6 +179,7 @@ main(int argc, char *argv[])
|
||||||
if (frame_type < 0) {
|
if (frame_type < 0) {
|
||||||
fprintf(stderr, "mergecap: \"%s\" isn't a valid encapsulation type\n",
|
fprintf(stderr, "mergecap: \"%s\" isn't a valid encapsulation type\n",
|
||||||
optarg);
|
optarg);
|
||||||
|
list_encap_types();
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
@ -165,6 +189,7 @@ main(int argc, char *argv[])
|
||||||
if (file_type < 0) {
|
if (file_type < 0) {
|
||||||
fprintf(stderr, "mergecap: \"%s\" isn't a valid capture file type\n",
|
fprintf(stderr, "mergecap: \"%s\" isn't a valid capture file type\n",
|
||||||
optarg);
|
optarg);
|
||||||
|
list_capture_types();
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
@ -178,18 +203,22 @@ main(int argc, char *argv[])
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case 'h':
|
case 'h':
|
||||||
printf("mergecap version %s"
|
|
||||||
#ifdef SVNVERSION
|
|
||||||
" (" SVNVERSION ")"
|
|
||||||
#endif
|
|
||||||
"\n", VERSION);
|
|
||||||
usage();
|
usage();
|
||||||
exit(0);
|
exit(0);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
case '?': /* Bad options if GNU getopt */
|
case '?': /* Bad options if GNU getopt */
|
||||||
|
switch(optopt) {
|
||||||
|
case'F':
|
||||||
|
list_capture_types();
|
||||||
|
break;
|
||||||
|
case'T':
|
||||||
|
list_encap_types();
|
||||||
|
break;
|
||||||
|
default:
|
||||||
usage();
|
usage();
|
||||||
return 1;
|
}
|
||||||
|
exit(1);
|
||||||
break;
|
break;
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue