User Tools
pcaps:ixmgtool
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
pcaps:ixmgtool [2019/04/13 13:49] veera [Merge multiple thin PCAP files into a single thick PCAP] |
pcaps:ixmgtool [2019/04/15 11:20] (current) veera [Conclusion] |
||
|---|---|---|---|
| Line 20: | Line 20: | ||
| Mergecap is a command line [[https://www.wireshark.org/docs/man-pages/mergecap.html|utility from the wireshark]] project. It also combines multiple thin PCAP files into a single fat PCAP file. But it preserves the timestamps, hence works to //fatten// the output PCAP //only// if there is significant overlap in the time windows. | Mergecap is a command line [[https://www.wireshark.org/docs/man-pages/mergecap.html|utility from the wireshark]] project. It also combines multiple thin PCAP files into a single fat PCAP file. But it preserves the timestamps, hence works to //fatten// the output PCAP //only// if there is significant overlap in the time windows. | ||
| - | trisul_ixmgtool when run with the squish option , aligns the timestamps of the files to the lowest timestamp and then processes the merge. The following diagram illustrates the difference between mergecap and ixmgtool | + | trisul_ixmgtool when run with the squish option , aligns the timestamps of the files to the lowest timestamp and then processes the merge. The following diagram illustrates the difference between mergecap and ixmgtool. |
| {{:pcaps:ixmgtool.png |}} | {{:pcaps:ixmgtool.png |}} | ||
| + | You can think of ixmgtool as combining the following three operations | ||
| + | - Find the lowest timestamp from all the pcap files, and compute the deltas for each file | ||
| + | - Run ''editcap -t delta'' to transform the timestamps of each file | ||
| + | - Run ''mergecap'' on the transformed pcap files | ||
| ====== Using trisul_ixmgtool ====== | ====== Using trisul_ixmgtool ====== | ||
| Line 126: | Line 130: | ||
| ====== Conclusion ====== | ====== Conclusion ====== | ||
| + | trisul_ixmgtool can be used to create FAT pcaps. These can be very useful for stressing NSM solutons. Using the squish options you can create a mega thick PCAP file for testing by throwing all your PCAP testing files in single directory from varying timestamps and creating a single thick one. | ||
| - | The trisul_ixmgtool part of the Trisul NSM suite can be used for free to create FAT pcaps which can be very useful for stressing NSM solutons. We use this in Trisul NSM to help users download PCAPs of various investigations. | + | Hope this is useful to the NSM community. |
| - | Using the squish options you can create a mega thick PCAP file for testing by throwing all your PCAP testing files in single directory from varying timestamps and creating a single thick one. | ||
| - | Hope this is useful for the NSM community. | + | To get the tool (it is free). Install the Trisul Probe package for your platform from the [[https://trisul.org/download|Trisul Download page]] |
| - | + | ||
| - | + | ||
| - | To get the tool : Install the Trisul Probe package for your platform from the [[https://trisul.org/download|Trisul Download page]] | + | |
pcaps/ixmgtool.1555163378.txt.gz · Last modified: 2019/04/13 13:49 by veera
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
