tag:blogger.com,1999:blog-6603440187887047162.post7691748187967746485..comments2023-06-16T07:54:41.787-04:00Comments on Detroit Dave's Raves: Combining the pcap files quicklyDetroitDavehttp://www.blogger.com/profile/00384772147714696312noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-6603440187887047162.post-78908704639860588272014-02-11T10:43:02.880-05:002014-02-11T10:43:02.880-05:00Certainly true that you could just type in the com...Certainly true that you could just type in the command and wildcard the pcap files. However, the point of this was a simple tool that could be used repetitively, which in the long run saves me time. Of course my script above is just one way and if the "batch file for loop stuff" is too cumbersome or "strange" for some, they certainly have the option of typing the command and wild-carding it every time. That's what I love about my job...multiple correct solutions for almost any given problems.DetroitDavehttps://www.blogger.com/profile/00384772147714696312noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-57453361986457623502014-02-08T19:58:21.495-05:002014-02-08T19:58:21.495-05:00Um, you can just do:
"c:\Program Files\Wires...Um, you can just do: <br />"c:\Program Files\Wireshark\mergecap.ex<br />e" -w temp.pcap file*.pcap<br /><br />and avoid all the batch file for loop stuff. HTHAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-64289913110492712372013-07-22T15:30:07.794-04:002013-07-22T15:30:07.794-04:00Scott,
I just saw you commented on this. :-( Any...Scott,<br /><br />I just saw you commented on this. :-( Anyway, I like the changes you made. My initial posting follows me true to form...I create tools/scripts to solve a problem for me (and only me). So when I share them, I tend to forget to add in any sort of error/param checking. <br /><br />I think the idea of a prefilter with tshark is awesome! I do wonder about the cost, mostly in terms of wall clock time. It would be interested to run some tests on a few ranges of files. It just so happens that I have a TON (over 2TBs of compressed data) of pcaps that I need to start doing some work on, so I will be able to test the prefiltering idea. I will edit the original post with any results.DetroitDavehttps://www.blogger.com/profile/00384772147714696312noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-38504659559825559832013-04-11T02:41:06.732-04:002013-04-11T02:41:06.732-04:00my modifications inline below: takes two paramete...my modifications inline below: takes two parameters for the filter and the output file, bit messy but it helps ;)<br /><br />SETLOCAL EnableDelayedExpansion<br />set myfiles=<br />set param1=%1<br />set param2=%2<br />IF DEFINED param1 (set OUTFILE=%1)<br />else (set OUTFILE=temp)<br />IF DEFINED param2 (set FILTER=%2)<br />else (set FILTER=*)<br />for %%f in (%FILTER%.pcap) do set myfiles=!myfiles! %%f<br />Cmd /V:on /c "c:\Program Files\Wireshark\mergecap.exe" -w %OUTFILE%.pcap %myfiles%<br /><br />... I was going to add the preprocessing too, which would prefilter with tshark a defined string so you've got an even quicker way to filter and merge your massive captures... after getting 4.8GB of caps from a customer this afternoon ;) after filtering I'm down to only 780MB!Scott Harmanhttps://www.blogger.com/profile/14541000258672489718noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-970094146030871062012-10-17T15:40:42.445-04:002012-10-17T15:40:42.445-04:00Anonymous.... You need to include this with the s...Anonymous.... You need to include this with the setlocal<br />setlocal enabledelayedexpansion<br /><br />That will let the !myfile! concatenate Art Howenoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-87823198065431294772012-10-10T23:35:42.162-04:002012-10-10T23:35:42.162-04:00Without actually seeing the rest of your script, i...Without actually seeing the rest of your script, it's a little hard to say exactly what the problem is, although I am leaning towards a syntantical culprit with this one. I would say though that while mergecap "should" handle 106 pcap files, I would personally break up the task. <br />Some other things to check: from what folder are you running the batch file and where in relation to this folder is the folder with all of the pcaps. <br />If you want to post your whole batch file in a reply, I will take a look at it and see if I can quickly see what might be wrong.<br />DWDetroitDavehttps://www.blogger.com/profile/00384772147714696312noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-88264379350823850232012-10-10T14:56:24.847-04:002012-10-10T14:56:24.847-04:00Hello David!
I need to merge 106 .pcap files, and...Hello David!<br /><br />I need to merge 106 .pcap files, and I tried using your file but everytime I do I get the following error:<br /><br />"mergecap: Can`t open !myfiles!: No such file or directory"<br /><br />What do I do now??<br />Thank youAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-31739466173191135512012-08-06T11:51:20.521-04:002012-08-06T11:51:20.521-04:00@Anonymous: Think of "Set MyFiles=" as j...@Anonymous: Think of "Set MyFiles=" as just a variable decleration. The value gets assigned in the for loop where it assigns all pcap files in the current directory. Hope that helps. dwDetroitDavehttps://www.blogger.com/profile/00384772147714696312noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-22532493978830020282012-08-02T04:37:35.183-04:002012-08-02T04:37:35.183-04:00May you please suggest me what to put in place of ...May you please suggest me what to put in place of "set myfiles=" as it is showing me no directoryAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-13355003090174778542011-01-07T06:51:04.486-05:002011-01-07T06:51:04.486-05:00The "!" used in the for loop is used for...The "!" used in the for loop is used for variable expansion. A good link for an explanation is below. The bottom line is that the "!somename!" syntax allows the expansion of somename at a delayed time (not at the initial load of the bat/script/etc.). So if you use "setlocal enabledelayedexpansion," but did not use the bang operator before and after the variable, it will not work as needed...the bang says "hey, this variable needs to wait until execution to be expanded (as opposed to during script init/read). Hope that helps!<br /><br />http://www.computerhope.com/sethlp.htm#03DetroitDavehttps://www.blogger.com/profile/00384772147714696312noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-61284184274020798242010-12-09T11:14:47.603-05:002010-12-09T11:14:47.603-05:00Dave, this was very helpful. I have limited netwo...Dave, this was very helpful. I have limited networking experience but am often called to troubleshoot networking in our industrial applications. The batch file worked well for me. I was trying understand how it worked. I was able rundown everything except the "!" around myfiles in the For loop? <br />Could you please point me to a link explaining this.<br />Thanks again.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-2950172690535774312010-12-03T14:43:40.406-05:002010-12-03T14:43:40.406-05:00THANK YOU BOTH, works fine on xp & win7 (with ...THANK YOU BOTH, works fine on xp & win7 (with <br />setlocal enabledelayedexpansion)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-37727686514402224192010-09-11T17:47:14.666-04:002010-09-11T17:47:14.666-04:00Awesome! I didn't think anyone was reading thi...Awesome! I didn't think anyone was reading this. :-)<br />@Jake: I would have to play with this some. Unfortunately, I have been doing more sys admin and software engineering the last 5 months, so packet analysis has only been for my free time (which hasn't existed this last month). That all said, I am definitely interested in your question and I hope to have some time this weekend to play around with it.<br />@Anonymous: I believe you are right. However, I wrote this post a while ago and haven't had much time to play around with analysis in a bit, as I wrote above. From what I remember the /V option worked form me on in some situations (on an XP box, I think) but that I had turn on delayed expansion in Vista. <br />@both: Thank you for the comments. I started this thing as a log for me, but the fact that others are reading it is somewhat cool. :-)DetroitDavehttps://www.blogger.com/profile/00384772147714696312noreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-40685516999104015622010-09-08T12:27:43.999-04:002010-09-08T12:27:43.999-04:00Just a note that you may need to turn on delayed e...Just a note that you may need to turn on delayed expansion:<br /><br />setlocal enabledelayedexpansion<br /><br />Or else the !myfiles! won't evaluate properly.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6603440187887047162.post-73373831920294263932010-09-03T09:29:12.958-04:002010-09-03T09:29:12.958-04:00Cheers for this, really helped!
However, I have a...Cheers for this, really helped!<br /><br />However, I have a similar problem and Google cannot help their either...<br /><br />I want to run the -z io,phs stats on a range of files, with of course a combined output... Any suggestions?<br /><br />I have about 500 files :) all quite large beasts so I cant really merge them all as tshark complains...<br /><br />I tried letting tshark read them all sequentially but it only reads the last file you give it with the -r argument...<br /><br />Any help would be great!Jakenoreply@blogger.com