【Linux命令】mergecap命令的用法

1、mergecap命令是做什么的？

 

merge-cap从这个命令的名称可以看出来，是用来合并pcap文件的，也就是把多个文件合并成一个pcap。

我们执行一下 mergecap -h 看一下这个命令怎么用：

 

[root@localhost exception_pcap]# mergecap -h
Mergecap 1.10.14 (Git Rev Unknown from unknown)
Merge two or more capture files into one.（//合并两个或者多个捕获文件到一个文件）
See http://www.wireshark.org for more information.


Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]


Output:
  -a                concatenate rather than merge files.                      //连接（文件）而不是合并文件
                    default is to merge based on frame timestamps.            //默认是基于帧时间戳的合并
  -s <snaplen>      truncate packets to <snaplen> bytes of data.              //将数据包截断为<snaplen>字节的数据，-s后面必须跟一个十进制数字(默认是186字节)
  -w <outfile>|-    set the output filename to <outfile> or '-' for stdout.   //设置（指定）输出文件名 
  -F <capture type> set the output file type; default is pcapng.              //设置输出文件类型；默认为pcapng
                    an empty "-F" option will list the file types.            //
  -T <encap type>   set the output file encapsulation type;                   //设置输出文件封装类型
                    default is the same as the first input file.              //默认值与第一个输入文件相同。
                    an empty "-T" option will list the encapsulation types.   //


Miscellaneous:
  -h                display this help and exit.                               //显示帮助及退出
  -v                verbose output.                                           //输出参数

 

2、下面我们来使用一下这些参数：

 

（1）基本参数使用

[root@localhost mergecap]# ls
userip-1.pcap  userip-2.pcap  userip-3.pcap  userip-4.pcap  userip-5.pcap  userip-6.pcap  userip-8.pcap  userip-9.pcap
[root@localhost mergecap]# mergecap -a userip-1.pcap userip-2.pcap -w merge_out.pcap
[root@localhost mergecap]# ls
merge_out.pcap  userip-1.pcap  userip-2.pcap  userip-3.pcap  userip-4.pcap  userip-5.pcap  userip-6.pcap  userip-8.pcap  userip-9.pcap
[root@localhost mergecap]#
//备注：mergecap命令的-a参数后面，可以跟多个pcap文件（具体能跟多少个不知道，我最多后面跟了85个pcap文件）

（2）其他参数使用

[root@localhost mergecap]# mergecap -a userip-1.pcap userip-2.pcap -T ppp -s 500 -w merge_out.pcap
//使用-T参数，把输出报文封装成ppp格式的
//使用-s 参数，把输出的每个报文截断成为一定规律长度的报文...，-s参数后面一定要带一个10进制的数字
//-F 参数大家可以自己试用一下

（3）如何把一个目录下面的所有pcap文件合并成一个pcap

//用echo `ls`显示所有文件名
[root@localhost mergecap]# echo `ls`
3.pcap merge_out.pcap one.pcap userip-1.pcap userip-2.pcap userip-3.pcap userip-4.pcap userip-5.pcap userip-6.pcap userip-8.pcap userip-9.pcap

//再用mergecap命令对这些文件进行合并
[root@localhost mergecap]# mergecap -a $(echo `ls`) -w one.pcap
[root@localhost mergecap]# ls -lh
总用量 5.2M
-rw-r--r-- 1 root root 2.7M 9月  15 18:53 one.pcap
-rw-r--r-- 1 root root 365K 9月  15 18:36 userip-1.pcap
-rw-r--r-- 1 root root 257K 9月  15 18:36 userip-2.pcap
-rw-r--r-- 1 root root 286K 9月  15 18:36 userip-3.pcap
-rw-r--r-- 1 root root 485K 9月  15 18:36 userip-4.pcap
-rw-r--r-- 1 root root 365K 9月  15 18:36 userip-5.pcap
-rw-r--r-- 1 root root 286K 9月  15 18:36 userip-6.pcap
-rw-r--r-- 1 root root 301K 9月  15 18:36 userip-8.pcap
-rw-r--r-- 1 root root 151K 9月  15 18:36 userip-9.pcap

 

3、-F和-T 参数扩展

[root@localhost exception_pcap]# mergecap -F
mergecap: option requires an argument -- 'F'
mergecap: The available capture file types for the "-F" flag are:
    5views - InfoVista 5View capture
    btsnoop - Symbian OS btsnoop
    commview - TamoSoft CommView
    dct2000 - Catapult DCT2000 trace (.out format)
    erf - Endace ERF capture
    eyesdn - EyeSDN USB S0/E1 ISDN trace format
    k12text - K12 text file
    lanalyzer - Novell LANalyzer
    modlibpcap - Modified tcpdump - libpcap
    netmon1 - Microsoft NetMon 1.x
    netmon2 - Microsoft NetMon 2.x
    nettl - HP-UX nettl trace
    ngsniffer - NA Sniffer (DOS)
    ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
    ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
    niobserver - Network Instruments Observer
    nokialibpcap - Nokia tcpdump - libpcap
    nseclibpcap - Wireshark - nanosecond libpcap
    nstrace10 - NetScaler Trace (Version 1.0)
    nstrace20 - NetScaler Trace (Version 2.0)
    pcap - Wireshark/tcpdump/... - pcap
    pcapng - Wireshark/... - pcapng
    rf5 - Tektronix K12xx 32-bit .rf5 format
    rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
    snoop - Sun snoop
    suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
    visual - Visual Networks traffic capture


[root@localhost exception_pcap]# mergecap -T
mergecap: option requires an argument -- 'T'
mergecap: The available encapsulation types for the "-T" flag are:
    ap1394 - Apple IP-over-IEEE 1394
    arcnet - ARCNET
    arcnet_linux - Linux ARCNET
    ascend - Lucent/Ascend access equipment
    atm-pdus - ATM PDUs
    atm-pdus-untruncated - ATM PDUs - untruncated
    atm-rfc1483 - RFC 1483 ATM
    ax25 - Amateur Radio AX.25
    ax25-kiss - AX.25 with KISS header
    bacnet-ms-tp - BACnet MS/TP
    bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
    ber - ASN.1 Basic Encoding Rules
    bluetooth-h4 - Bluetooth H4
    bluetooth-h4-linux - Bluetooth H4 with linux header
    bluetooth-hci - Bluetooth without transport layer
    can20b - Controller Area Network 2.0B
    chdlc - Cisco HDLC
    chdlc-with-direction - Cisco HDLC with Directional Info
    cosine - CoSine L2 debug log
    dbus - D-Bus
    dct2000 - Catapult DCT2000
    docsis - Data Over Cable Service Interface Specification
    dpnss_link - Digital Private Signalling System No 1 Link Layer
    dvbci - DVB-CI (Common Interface)
    enc - OpenBSD enc(4) encapsulating interface
    erf - Extensible Record Format
    ether - Ethernet
    ether-nettl - Ethernet with nettl headers
    fc2 - Fibre Channel FC-2
    fc2sof - Fibre Channel FC-2 With Frame Delimiter
    fddi - FDDI
    fddi-nettl - FDDI with nettl headers
    fddi-swapped - FDDI with bit-swapped MAC addresses
    flexray - FlexRay
    frelay - Frame Relay
    frelay-with-direction - Frame Relay with Directional Info
    gcom-serial - GCOM Serial
    gcom-tie1 - GCOM TIE1
    gprs-llc - GPRS LLC
    gsm_um - GSM Um Interface
    hhdlc - HiPath HDLC
    i2c - I2C
    ieee-802-11 - IEEE 802.11 Wireless LAN
    ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header
    ieee-802-11-avs - IEEE 802.11 plus AVS radio header
    ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
    ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
    ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
    ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
    ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
    infiniband - InfiniBand
    ios - Cisco IOS internal
    ip-over-fc - RFC 2625 IP-over-Fibre Channel
    ip-over-ib - IP over Infiniband
    ipfix - IPFIX
    ipmb - Intelligent Platform Management Bus
    ipnet - Solaris IPNET
    irda - IrDA
    isdn - ISDN
    ixveriwave - IxVeriWave header and stats block
    jfif - JPEG/JFIF
    juniper-atm1 - Juniper ATM1
    juniper-atm2 - Juniper ATM2
    juniper-chdlc - Juniper C-HDLC
    juniper-ether - Juniper Ethernet
    juniper-frelay - Juniper Frame-Relay
    juniper-ggsn - Juniper GGSN
    juniper-mlfr - Juniper MLFR
    juniper-mlppp - Juniper MLPPP
    juniper-ppp - Juniper PPP
    juniper-pppoe - Juniper PPPoE
    juniper-svcs - Juniper Services
    juniper-vp - Juniper Voice PIC
    k12 - K12 protocol analyzer
    lapb - LAPB
    lapd - LAPD
    layer1-event - EyeSDN Layer 1 event
    lin - Local Interconnect Network
    linux-atm-clip - Linux ATM CLIP
    linux-lapd - LAPD with Linux pseudo-header
    linux-sll - Linux cooked-mode capture
    ltalk - Localtalk
    mime - MIME
    most - Media Oriented Systems Transport
    mp2ts - ISO/IEC 13818-1 MPEG2-TS
    mpeg - MPEG
    mtp2 - SS7 MTP2
    mtp2-with-phdr - MTP2 with pseudoheader
    mtp3 - SS7 MTP3
    mux27010 - MUX27010
    netanalyzer - netANALYZER
    netanalyzer-transparent - netANALYZER-Transparent
    nfc-llcp - NFC LLCP
    nflog - NFLOG
    nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
    nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
    null - NULL
    packetlogger - PacketLogger
    pflog - OpenBSD PF Firewall logs
    pflog-old - OpenBSD PF Firewall logs, pre-3.4
    ppi - Per-Packet Information header
    ppp - PPP
    ppp-with-direction - PPP with Directional Info
    pppoes - PPP-over-Ethernet session
    raw-icmp-nettl - Raw ICMP with nettl headers
    raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
    raw-telnet-nettl - Raw telnet with nettl headers
    rawip - Raw IP
    rawip-nettl - Raw IP with nettl headers
    rawip4 - Raw IPv4
    rawip6 - Raw IPv6
    redback - Redback SmartEdge
    sccp - SS7 SCCP
    sctp - SCTP
    sdh - SDH
    sdlc - SDLC
    sita-wan - SITA WAN packets
    slip - SLIP
    socketcan - SocketCAN
    symantec - Symantec Enterprise Firewall
    tnef - Transport-Neutral Encapsulation Format
    tr - Token Ring
    tr-nettl - Token Ring with nettl headers
    tzsp - Tazmen sniffer protocol
    unknown - Unknown
    unknown-nettl - Unknown link-layer type with nettl headers
    usb - Raw USB packets
    usb-linux - USB packets with Linux header
    usb-linux-mmap - USB packets with Linux header and padding
    usb-usbpcap - USB packets with USBPcap header
    user0 - USER 0
    user1 - USER 1
    user10 - USER 10
    user11 - USER 11
    user12 - USER 12
    user13 - USER 13
    user14 - USER 14
    user15 - USER 15
    user2 - USER 2
    user3 - USER 3
    user4 - USER 4
    user5 - USER 5
    user6 - USER 6
    user7 - USER 7
    user8 - USER 8
    user9 - USER 9
    v5-ef - V5 Envelope Function
    vsock - Linux vsock
    whdlc - Wellfleet HDLC
    wpan - IEEE 802.15.4 Wireless PAN
    wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
    wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
    x25-nettl - X.25 with nettl headers
    x2e-serial - X2E serial line capture
    x2e-xoraya - X2E Xoraya