From 9fc3cd04a8225cac7261ec0bd70e1d12145f76d8 Mon Sep 17 00:00:00 2001 From: Guy Harris Date: Sun, 20 Jun 2021 15:39:58 -0700 Subject: [PATCH] mergecap: improve the example. Explain, in detail, exactly what it's trying to do and, for each of the three commands in the example, what each step does, as well as explaining what the calculation using the end time of one capture and start time of another capture is doing. (Where did this example come from? What is the real-world goal of this exercise? And why is it an example in which all the fancy stuff is done in commands *other* than mergecap?) (cherry picked from commit 628fe2549a47f4f246dd645d5d15dad3edc35cb7) --- doc/mergecap.pod | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/doc/mergecap.pod b/doc/mergecap.pod index f0760c43fb..8ed8b1090a 100644 --- a/doc/mergecap.pod +++ b/doc/mergecap.pod @@ -150,17 +150,34 @@ This setting is mandatory. =head1 EXAMPLES -To merge two capture files together, 100 seconds apart use: +To merge two capture files together into a third capture file, in which +the last packet of one file arrives 100 seconds before the first packet +of another file, use the following sequence of commands. + +First, use: capinfos -aeS a.pcap b.pcap -(Let's suppose a.pcap starts at 1009932757 and b.pcap ends -at 873660281. 1009932757 - 873660281 - 100 = 136272376 -seconds.) +to determine the start and end times of the two capture files, as +seconds since January 1, 1970, 00:00:00 UTC. + +If a.pcap starts at 1009932757 and b.pcap ends at 873660281, then the +time adjustment to b.pcap that would make it end 100 seconds before +a.pcap begins would be 1009932757 - 873660281 - 100 = 136272376 seconds. + +Thus, the next step would be to use: editcap -t 136272376 b.pcap b-shifted.pcap + +to generate a version of b.pcap with its time stamps shifted 136272376 +ahead. + +Then the final step would be to use : + mergecap -w compare.pcap a.pcap b-shifted.pcap +to merge a.pcap and the shifted b.pcap into compare.pcap. + =head1 SEE ALSO pcap(3), wireshark(1), tshark(1), dumpcap(1), editcap(1), text2pcap(1),