背景
想到介绍合并捕获文件这个事情,源自于朋友的一个问题,虽然我用到的场景不是很多,但是可能会有更多的同学需要,就简单说说我知道的几个方法。
示例
测试的捕获文件主要信息如下,其中 test.pcapng 文件数据包数量 3 个,为 TCP 三次握手数据包,分拆成两个数据包文件,No.1 SYN 和 No.3 ACK 为 test01.pcpang,No.2 SYN/ACK 为 test02.pcapng。
λ capinfos test.pcapng
File name: test.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 3
File size: 600 bytes
Data size: 186 bytes
Capture duration: 0.001654 seconds
First packet time: 2021-07-19 13:17:07.172339
Last packet time: 2021-07-19 13:17:07.173993
Data byte rate: 112 kBps
Data bit rate: 899 kbps
Average packet size: 62.00 bytes
Average packet rate: 1813 packets/s
SHA256: 5f618074fa1fbc83fbb113b42ae6fa3e0b7fdb86441b930d0d71842e96b4b521
RIPEMD160: 922b130ccc3bda159bfa399b494da089ef2e50fe
SHA1: c0d507e9ff122135a3e20e3920649bce636c8726
Strict time order: True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 3
λ capinfos test0*.pcapng
File name: test01.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 2
File size: 488 bytes
Data size: 120 bytes
Capture duration: 0.001654 seconds
First packet time: 2021-07-19 13:17:07.172339
Last packet time: 2021-07-19 13:17:07.173993
Data byte rate: 72 kBps
Data bit rate: 580 kbps
Average packet size: 60.00 bytes
Average packet rate: 1209 packets/s
SHA256: 7f73fa4cee113507fb13bfea6c3d588d16ce62455dba84967b6c7e9ff5f119f9
RIPEMD160: 99c63e7b258156ca52332607170060514a05374c
SHA1: 0e73dc6d560a1ed7a94ba3639d04e268ed58e8a9
Strict time order: True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 2
File name: test02.pcapng
File type: Wireshark/... - pcapng
File encapsulation: Ethernet
File timestamp precision: microseconds (6)
Packet size limit: file hdr: (not set)
Number of packets: 1
File size: 388 bytes
Data size: 66 bytes
Capture duration: 0.000000 seconds
First packet time: 2021-07-19 13:17:07.173872
Last packet time: 2021-07-19 13:17:07.173872
Data byte rate: 0 bytes/s
Data bit rate: 0 bits/s
Average packet size: 66.00 bytes
Average packet rate: 0 packets/s
SHA256: 6c52de6c914bfcefab0f06773fffa2e3a6d6e29be580cf857a7af03cfac12a64
RIPEMD160: 0d1daa946a757cd6f57a3a97c87753f93a88bbf3
SHA1: 623955ea30d52e85dce3e92b963c1440a11b7ed6
Strict time order: True
Capture application: Sanitized by TraceWrangler v0.6.8 build 949
Capture comment: Sanitized by TraceWrangler v0.6.8 build 949
Number of interfaces in file: 1
Interface #0 info:
Name = \Device\NPF_{B1071A54-24CE-477D-A23D-93223A1A3721}
Description = Ethernet0
Encapsulation = Ethernet (1 - ether)
Capture length = 262144
Time precision = microseconds (6)
Time ticks per second = 1000000
Time resolution = 0x06
Operating system = 64-bit Windows 10 (1809), build 17763
Number of stat entries = 0
Number of packets = 1
λ tshark -r test.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
3 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
λ tshark -r test01.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
λ tshark -r test02.pcapng
1 0.000000 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
Mergecap
Mergecap 是 Wireshark 程序安装时附带的可选工具之一,用于合并数据包文件的命令行工具。以下仅做一些基础命令的展示,对于这个工具,我还专门详细写过一篇文章《Wireshark CLI | Mergecap 篇》,有兴趣的可以瞅瞅。
默认合并方式是基于数据帧的时间戳。示例中合并 test01 和 test02 后即与 test 相同。
λ mergecap -w merge.pcapng test01.pcapng test02.pcapng
λ tshark -r merge.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
3 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
-a 选项,连接而不是合并文件。
λ mergecap -a -w merge.pcapng test01.pcapng test02.pcapng
λ tshark -r merge.pcapng
1 0.000000 192.168.0.1 → 10.10.10.1 TCP 66 53769 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM
2 0.001654 192.168.0.1 → 10.10.10.1 TCP 54 53769 → 80 [ACK] Seq=1 Ack=1 Win=262656 Len=0
3 0.001533 10.10.10.1 → 192.168.0.1 TCP 66 80 → 53769 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM
Wireshark
对于 Mergecap 命令行所实现的基本功能,实际上 Wireshark 主界面的文件菜单上既有相对应的功能选项。
File -> Merge ,使用方式是先打开一个捕获文件,譬如 test01.pcapng,在文件菜单中再选择合并,选择需要再加载的一个捕获文件,譬如 test02.pcapng,打开即可。
上图左下角,默认第二个选项,也就是基于数据帧的时间戳合并,如下合并成一个新创建的临时文件,保存即可。
另外第一个选项,是将第二个文件的数据包加载到第一个文件的数据包之前,如下合并成一个新创建的临时文件,保存即可。
第三个选项,是将第二个文件的数据包加载到第一个文件的数据包之后,如下合并成一个新创建的临时文件,保存即可。
还是 Wireshark
实际上还有一个更简单的方式,直接使用拖放就可以在主窗口上合并多个文件。Wireshark 仍将会按照时间戳顺序将选中的多个文件数据包合并到一个新创建的临时文件中,保存即可。
总结
- Mergecap 功能更强大,命令行操作也方便;
- Wireshark 自带的 Merge 相对功能弱些,而且也没法一次性合并多个文件;
- 如果仅是按照时间戳顺序合并,拖放方式最为简单。
