Trisul Network Analytics
Developer Zone

**This is an old revision of the document!** ----

====== Merge multiple thin PCAP files into a single thick PCAP ====== When you install Trisul Network Analytics , you get a free command line tool called ''trisul_ixmgtool'' This tool has a unique capability to **squish** PCAP files that is very handy to create fat pcap files useful for testing. This article explains how this free tool works. ===== What is a FAT pcap file ===== A FAT pcap file contains more unique flows and endpoints than a THIN pcap file. While testing NSM((Network Security Monitoring)) platforms we look for FAT pcap files because it stresses the memory and performance of algorithms. Given a 10GB //thin// PCAP file with just 1 flow, and a 1GB //fat// PCAP file with 100K flows - you should prefer the FAT file for testing. FAT PCAP files can be hard to obtain. You might get them from large corporate border networks for private use, but in general it is quite hard to come across these. With the //trisul_ixmgtool// you can merge multiple thin PCAPs into a single fat PCAP file. ===== How is it different from mergecap ===== Mergecap is a command line [[https://www.wireshark.org/docs/man-pages/mergecap.html|utility from the wireshark]] project. It also combines multiple thin PCAP files into a single fat PCAP file. But it preserves the timestamps, hence works to //fatten// the output PCAP if there is significant overlap in the time windows. trisul_ixmgtool when run with the squish option , aligns the timestamps of the files to the lowest timestamp and then processes the merge. The following diagram illustrates the difference between mergecap and ixmgtool {{:pcaps:ixmgtool.png |}} ====== trisul_ixmgtool ====== To get the free ixmgtool [[https://trisul.org/download|install Trisul Probe]] , you will find the trisul_ixmgtool in ''/usr/local/bin''