Wireshark-users: Re: [Wireshark-users] merge pcap from two interfaces
From: "Maynard, Chris" <[email protected]>
Date: Sun, 13 May 2018 16:15:15 +0000

Neither dumpcap nor tshark support on-the-fly compression (yet)[1], so unfortunately you’ll have to somehow solve that problem yourself.


As for the timestamp, the format is fixed so if you want to change it, you’ll have to come up with your own solution here too.


From: luke devon [mailto:[email protected]]
Sent: Sunday, May 13, 2018 6:00 AM
To: Community support list for Wireshark <[email protected]>; Maynard, Chris <[email protected]>
Subject: Re: [Wireshark-users] merge pcap from two interfaces


Hi Chris, 


I was able to execute the following command. syntaxes are same for the tshark and dumpcap.


dumpcap -i enp0s3 -i enp0s8 -b duration:15 -w /usr/etc/enp0s3_enp0s8.pcap 


output as follows;





every 15sec, the file name is rolling out.


1. Can you please guide me, how to make the file compressed? for example; enp0s3_enp0s8_00001_20180513174130.tar.gz

2. also can I change the format of the timestamp in the file name?  Something similar to this --> trace_%Y-%m-%d_%H-%M-%S.pcap



I was using following tcpdump command to capture, adding the timestamp and compressing the traces.


tcpdump -i eno2 -s 0 -G 15 -w '/test/Network_%Y-%m-%d_%H-%M-%S.pcap' -Z root -z gzip


But I cant use this command continuously as it has limitations to capture multiple interface same time in a single command.


Thanks & Regards





On Sunday, 13 May 2018, 10:48:28 AM GMT+8, luke devon via Wireshark-users <[email protected]> wrote:



Hi Chris,


Thank you so much for the guidance.


May I know, can we use tshark to rotate the traces every 15 sec? and can we compress into tar.gz the completed dump?





On Sunday, 13 May 2018, 1:08:32 AM GMT+8, Maynard, Chris <[email protected]> wrote:



Do you have to use tcpdump?  If you have tshark available, then you can capture on both interfaces at the same time without the need to merge separate capture files at all.  For example:


tshark -i eth0 -i eth1 –w eth0_eth1.pcapng


Refer to the tshark[1] (or dumpcap[2]) man pages for more information.

- Chris

[1]: https://www.wireshark.org/docs/man-pages/tshark.html

[2]: https://www.wireshark.org/docs/man-pages/dumpcap.html



From: Wireshark-users [mailto:wireshark-users[email protected]] On Behalf Of luke devon via Wireshark-users
Sent: Saturday, May 12, 2018 8:17 AM
To: Community support list for Wireshark <[email protected]>
Cc: luke devon <[email protected]>
Subject: Re: [Wireshark-users] merge pcap from two interfaces


Hi Abhik, 



Thank you for the reply.


The reason is, the server got few more interfaces too. I want to capture specifically etho and etho1, Not other interfaces. That's why I can't use "-i any".





On Saturday, 12 May 2018, 6:38:55 PM GMT+8, Abhik Sarkar <[email protected]> wrote:



Alternately, run tcpdump with "-i any" to have the capture for all interfaces in the same file (unless you have good reason to keep them separate, of course).




On 12 May 2018 at 14:14, luke devon via Wireshark-users <[email protected]> wrote:



I have a server which has multiple ethernet interfaces and carrying network traffic to the system. every 15sec, roll out to the next tcpdump. Likewise, it will generate 4 - pcap file in a minute. 


eth0 will generate 4 pcap files

eth1 will generate 4 pap files.


I wanna merge respective etho and eth1 files by matching with the time stamp.


can it be done? Please help.


Thank you









CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the addressee.  If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.