Wireshark-users: Re: [Wireshark-users] Capturing and merging files from different machines
From: Sake Blok <[email protected]>
Date: Wed, 18 Jun 2008 16:40:25 +0200
On Wed, Jun 18, 2008 at 02:20:43PM +0100, Chris Swinney wrote:
> 
> I have taken a capture on two different machines from an in-line network
> tap (one to capture upstream, one to capture downstream data). I now
> need to merge these file, but when I ask Wireshark to merge them
> chronologically, it seems to merge them based on the initial time taken
> into the capture, not the actual capture time.

Have a look at http://wiki.wireshark.org/Timestamps for some
more info on how packets are timestamped.

> I have tried to mitigate time differences by synching both machines to
> an NTP server, but of course both captures are themselves started a
> different times. How can I best accomplish what I want? I've had a look
> at mergecap (as well as the inbuilt merge facility as shown above), but
> am not sure if this will still do what I'm after.

You can use editcap to time-shift packets in trace files. If you 
know the time difference between the tracefiles, then you can
edit one file to "match" the time setting of the other file. Of
course this won't solve any time-differences introduced by the
delay between capturing and timestamping (as explained on the wiki).

You can calculate the time difference by looking at the 3-way handshake:

File 1:
=======
1.123456 SYN
1.125678 ACK

File 2:
=======
1.234567 SYN/ACK

This means the time difference must be between:

1.234567 - 1.123456 = 0.111111 (because SYN/ACK must have come after SYN)

and

1.234567 - 1.125678 = 0.108889 (because ACK must have come after SYN/ACK)

If you calculate that for a couple of 3-way handshakes, then you must 
get a good idea on what time-shift to use in editcap.

Hope this helps,
Cheers,
    Sake