Merging Captured Files in Wireshark

One of the features of Wireshark is that we can capture packets from multiple interfaces. We can start analyzing multiple interfaces by pressing the left CTRL key and then clicking on the multiple interfaces displayed on the main window of the Wireshark.

 

While capturing packets from multiple interfaces, there is an “Interface ID: XX” to determine which packets belong to which interface.

 

Now sometimes we want to combine capture files from multiple interfaces into a single file so that we can perform analysis on all of them at a time. 

Steps  to Combine Capture Files Using Wireshark :

Step 1: Click on the File → Merge menu to open the “Merge Capture File” dialogue Box. But this menu item will be enabled only if we have a capture file loaded.

Step 2: We can also drag and drop multiple files on the main window. This will combine the packets in chronological order. But the existing capture file will get replaced if we simply drop a single file on top of it.

Step 3: Using the utility that is already included in Wireshark, a command line tool called “Mergecap”.  We use this tool to merge multiple capture files into a single file. It can read libpcap capture files, including those of tcpdump.

The Merge Capture File Dialogue Box:

This dialogue box allows us to merge multiple capture files into the currently loaded one. If the current file has not been saved we will be prompted with a save dialogue box first.

• Windows :

 

• Linux:

 

Wireshark’s “MergeCapture File” dialogue box has the following controls :

• Prepend packets: This will attach the packets from the selected file before the packets of the currently loaded file.
• Merge chronologically: This will merge the packets from both the selected and currently loaded files according to their timestamp.
• Append packets: This will attach the packets from the selected file after the packets of the currently loaded file.