1、mergecap命令是做什么的?
merge-cap从这个命令的名称可以看出来,是用来合并pcap文件的,也就是把多个文件合并成一个pcap。
我们执行一下
mergecap -h 看一下这个命令怎么用:
[root@localhost exception_pcap]# mergecap -h
Mergecap 1.10.14 (Git Rev Unknown from unknown)
Merge two or more capture files into one.(//合并两个或者多个捕获文件到一个文件)
See http://www.wireshark.org for more information.
Usage: mergecap [options] -w <outfile>|- <infile> [<infile> ...]
Output:
-a concatenate rather than merge files. //连接(文件)而不是合并文件
default is to merge based on frame timestamps. //默认是基于帧时间戳的合并
-s <snaplen> truncate packets to <snaplen> bytes of data. //将数据包截断为<snaplen>字节的数据,-s后面必须跟一个十进制数字(默认是186字节)
-w <outfile>|- set the output filename to <outfile> or '-' for stdout. //设置(指定)输出文件名
-F <capture type> set the output file type; default is pcapng. //设置输出文件类型;默认为pcapng
an empty "-F" option will list the file types. //
-T <encap type> set the output file encapsulation type; //设置输出文件封装类型
default is the same as the first input file. //默认值与第一个输入文件相同。
an empty "-T" option will list the encapsulation types. //
Miscellaneous:
-h display this help and exit. //显示帮助及退出
-v verbose output. //输出参数
2、下面我们来使用一下这些参数:
(1)基本参数使用
[root@localhost mergecap]# ls
userip-1.pcap userip-2.pcap userip-3.pcap userip-4.pcap userip-5.pcap userip-6.pcap userip-8.pcap userip-9.pcap
[root@localhost mergecap]# mergecap -a userip-1.pcap userip-2.pcap -w merge_out.pcap
[root@localhost mergecap]# ls
merge_out.pcap userip-1.pcap userip-2.pcap userip-3.pcap userip-4.pcap userip-5.pcap userip-6.pcap userip-8.pcap userip-9.pcap
[root@localhost mergecap]#
//备注:mergecap命令的-a参数后面,可以跟多个pcap文件(具体能跟多少个不知道,我最多后面跟了85个pcap文件)
(2)其他参数使用
[root@localhost mergecap]# mergecap -a userip-1.pcap userip-2.pcap -T ppp -s 500 -w merge_out.pcap
//使用-T参数,把输出报文封装成ppp格式的
//使用-s 参数,把输出的每个报文截断成为一定规律长度的报文...,-s参数后面一定要带一个10进制的数字
//-F 参数大家可以自己试用一下
(3)如何把一个目录下面的所有pcap文件合并成一个pcap
//用echo `ls`显示所有文件名
[root@localhost mergecap]# echo `ls`
3.pcap merge_out.pcap one.pcap userip-1.pcap userip-2.pcap userip-3.pcap userip-4.pcap userip-5.pcap userip-6.pcap userip-8.pcap userip-9.pcap
//再用mergecap命令对这些文件进行合并
[root@localhost mergecap]# mergecap -a $(echo `ls`) -w one.pcap
[root@localhost mergecap]# ls -lh
总用量 5.2M
-rw-r--r-- 1 root root 2.7M 9月 15 18:53 one.pcap
-rw-r--r-- 1 root root 365K 9月 15 18:36 userip-1.pcap
-rw-r--r-- 1 root root 257K 9月 15 18:36 userip-2.pcap
-rw-r--r-- 1 root root 286K 9月 15 18:36 userip-3.pcap
-rw-r--r-- 1 root root 485K 9月 15 18:36 userip-4.pcap
-rw-r--r-- 1 root root 365K 9月 15 18:36 userip-5.pcap
-rw-r--r-- 1 root root 286K 9月 15 18:36 userip-6.pcap
-rw-r--r-- 1 root root 301K 9月 15 18:36 userip-8.pcap
-rw-r--r-- 1 root root 151K 9月 15 18:36 userip-9.pcap
3、-F和-T 参数扩展
[root@localhost exception_pcap]# mergecap -F
mergecap: option requires an argument -- 'F'
mergecap: The available capture file types for the "-F" flag are:
5views - InfoVista 5View capture
btsnoop - Symbian OS btsnoop
commview - TamoSoft CommView
dct2000 - Catapult DCT2000 trace (.out format)
erf - Endace ERF capture
eyesdn - EyeSDN USB S0/E1 ISDN trace format
k12text - K12 text file
lanalyzer - Novell LANalyzer
modlibpcap - Modified tcpdump - libpcap
netmon1 - Microsoft NetMon 1.x
netmon2 - Microsoft NetMon 2.x
nettl - HP-UX nettl trace
ngsniffer - NA Sniffer (DOS)
ngwsniffer_1_1 - NA Sniffer (Windows) 1.1
ngwsniffer_2_0 - NA Sniffer (Windows) 2.00x
niobserver - Network Instruments Observer
nokialibpcap - Nokia tcpdump - libpcap
nseclibpcap - Wireshark - nanosecond libpcap
nstrace10 - NetScaler Trace (Version 1.0)
nstrace20 - NetScaler Trace (Version 2.0)
pcap - Wireshark/tcpdump/... - pcap
pcapng - Wireshark/... - pcapng
rf5 - Tektronix K12xx 32-bit .rf5 format
rh6_1libpcap - RedHat 6.1 tcpdump - libpcap
snoop - Sun snoop
suse6_3libpcap - SuSE 6.3 tcpdump - libpcap
visual - Visual Networks traffic capture
[root@localhost exception_pcap]# mergecap -T
mergecap: option requires an argument -- 'T'
mergecap: The available encapsulation types for the "-T" flag are:
ap1394 - Apple IP-over-IEEE 1394
arcnet - ARCNET
arcnet_linux - Linux ARCNET
ascend - Lucent/Ascend access equipment
atm-pdus - ATM PDUs
atm-pdus-untruncated - ATM PDUs - untruncated
atm-rfc1483 - RFC 1483 ATM
ax25 - Amateur Radio AX.25
ax25-kiss - AX.25 with KISS header
bacnet-ms-tp - BACnet MS/TP
bacnet-ms-tp-with-direction - BACnet MS/TP with Directional Info
ber - ASN.1 Basic Encoding Rules
bluetooth-h4 - Bluetooth H4
bluetooth-h4-linux - Bluetooth H4 with linux header
bluetooth-hci - Bluetooth without transport layer
can20b - Controller Area Network 2.0B
chdlc - Cisco HDLC
chdlc-with-direction - Cisco HDLC with Directional Info
cosine - CoSine L2 debug log
dbus - D-Bus
dct2000 - Catapult DCT2000
docsis - Data Over Cable Service Interface Specification
dpnss_link - Digital Private Signalling System No 1 Link Layer
dvbci - DVB-CI (Common Interface)
enc - OpenBSD enc(4) encapsulating interface
erf - Extensible Record Format
ether - Ethernet
ether-nettl - Ethernet with nettl headers
fc2 - Fibre Channel FC-2
fc2sof - Fibre Channel FC-2 With Frame Delimiter
fddi - FDDI
fddi-nettl - FDDI with nettl headers
fddi-swapped - FDDI with bit-swapped MAC addresses
flexray - FlexRay
frelay - Frame Relay
frelay-with-direction - Frame Relay with Directional Info
gcom-serial - GCOM Serial
gcom-tie1 - GCOM TIE1
gprs-llc - GPRS LLC
gsm_um - GSM Um Interface
hhdlc - HiPath HDLC
i2c - I2C
ieee-802-11 - IEEE 802.11 Wireless LAN
ieee-802-11-airopeek - IEEE 802.11 plus AiroPeek radio header
ieee-802-11-avs - IEEE 802.11 plus AVS radio header
ieee-802-11-netmon - IEEE 802.11 plus Network Monitor radio header
ieee-802-11-prism - IEEE 802.11 plus Prism II monitor mode radio header
ieee-802-11-radio - IEEE 802.11 Wireless LAN with radio information
ieee-802-11-radiotap - IEEE 802.11 plus radiotap radio header
ieee-802-16-mac-cps - IEEE 802.16 MAC Common Part Sublayer
infiniband - InfiniBand
ios - Cisco IOS internal
ip-over-fc - RFC 2625 IP-over-Fibre Channel
ip-over-ib - IP over Infiniband
ipfix - IPFIX
ipmb - Intelligent Platform Management Bus
ipnet - Solaris IPNET
irda - IrDA
isdn - ISDN
ixveriwave - IxVeriWave header and stats block
jfif - JPEG/JFIF
juniper-atm1 - Juniper ATM1
juniper-atm2 - Juniper ATM2
juniper-chdlc - Juniper C-HDLC
juniper-ether - Juniper Ethernet
juniper-frelay - Juniper Frame-Relay
juniper-ggsn - Juniper GGSN
juniper-mlfr - Juniper MLFR
juniper-mlppp - Juniper MLPPP
juniper-ppp - Juniper PPP
juniper-pppoe - Juniper PPPoE
juniper-svcs - Juniper Services
juniper-vp - Juniper Voice PIC
k12 - K12 protocol analyzer
lapb - LAPB
lapd - LAPD
layer1-event - EyeSDN Layer 1 event
lin - Local Interconnect Network
linux-atm-clip - Linux ATM CLIP
linux-lapd - LAPD with Linux pseudo-header
linux-sll - Linux cooked-mode capture
ltalk - Localtalk
mime - MIME
most - Media Oriented Systems Transport
mp2ts - ISO/IEC 13818-1 MPEG2-TS
mpeg - MPEG
mtp2 - SS7 MTP2
mtp2-with-phdr - MTP2 with pseudoheader
mtp3 - SS7 MTP3
mux27010 - MUX27010
netanalyzer - netANALYZER
netanalyzer-transparent - netANALYZER-Transparent
nfc-llcp - NFC LLCP
nflog - NFLOG
nstrace10 - NetScaler Encapsulation 1.0 of Ethernet
nstrace20 - NetScaler Encapsulation 2.0 of Ethernet
null - NULL
packetlogger - PacketLogger
pflog - OpenBSD PF Firewall logs
pflog-old - OpenBSD PF Firewall logs, pre-3.4
ppi - Per-Packet Information header
ppp - PPP
ppp-with-direction - PPP with Directional Info
pppoes - PPP-over-Ethernet session
raw-icmp-nettl - Raw ICMP with nettl headers
raw-icmpv6-nettl - Raw ICMPv6 with nettl headers
raw-telnet-nettl - Raw telnet with nettl headers
rawip - Raw IP
rawip-nettl - Raw IP with nettl headers
rawip4 - Raw IPv4
rawip6 - Raw IPv6
redback - Redback SmartEdge
sccp - SS7 SCCP
sctp - SCTP
sdh - SDH
sdlc - SDLC
sita-wan - SITA WAN packets
slip - SLIP
socketcan - SocketCAN
symantec - Symantec Enterprise Firewall
tnef - Transport-Neutral Encapsulation Format
tr - Token Ring
tr-nettl - Token Ring with nettl headers
tzsp - Tazmen sniffer protocol
unknown - Unknown
unknown-nettl - Unknown link-layer type with nettl headers
usb - Raw USB packets
usb-linux - USB packets with Linux header
usb-linux-mmap - USB packets with Linux header and padding
usb-usbpcap - USB packets with USBPcap header
user0 - USER 0
user1 - USER 1
user10 - USER 10
user11 - USER 11
user12 - USER 12
user13 - USER 13
user14 - USER 14
user15 - USER 15
user2 - USER 2
user3 - USER 3
user4 - USER 4
user5 - USER 5
user6 - USER 6
user7 - USER 7
user8 - USER 8
user9 - USER 9
v5-ef - V5 Envelope Function
vsock - Linux vsock
whdlc - Wellfleet HDLC
wpan - IEEE 802.15.4 Wireless PAN
wpan-nofcs - IEEE 802.15.4 Wireless PAN with FCS not present
wpan-nonask-phy - IEEE 802.15.4 Wireless PAN non-ASK PHY
x25-nettl - X.25 with nettl headers
x2e-serial - X2E serial line capture
x2e-xoraya - X2E Xoraya