This project is read-only.

Features:

  • As input and also output format it currently supports LibPCAP (version 2 and higher) and Microsoft Network Monitor (version 2.x).
  • It uses own parsing engine that fits the need for fast processing of opened files without caching and storing any unnecessary information in memory.
  • Supports merging of packets from different input PCAP files (means also different sources of time information).
  • Sorting that allows easy addition of new sorting kernels (another sorting algorithm) - currently supported are QuickSort and HeapSort.
  • Currently working above wired and wireless Ethernet frames but it could be extended by additonal link-layer protocols.

Usage:

Copyright (C) 2012 NES@FIT - http://www.fit.vutbr.cz/research/groups/nes@fit/
Brno University of Technology, Faculty of Information Technology

Usage: PCAPMerger.exe -i file1.cap+file2.cap -o output.cap -s heapsort -f mnm

Options:

-mnm1 Optional. Print information in MNM Capture File Header
-mnm2 Optional. Print information in MNM Process Info Table
-mnm3 Optional. Print information in MNM Extended Info
-mnm4 Optional. Print information in MNM Frame Table Layout
-tcpd1 Optional. Print information in TCPD Global Header
-tcpd2 Optional. Print information in TCPD Frame Table
-i, --input Required. Input PCAP files to be processed delimited with
+ character.
-o, --output Required. An output PCAP file
-f, --format Required. Output PCAP format, currently supports 'tcpd' (standard
libPCAP) and 'mnm' (MS NetMon)
-v, --verbose Optional. Verbose mode with additional information. All debug and
informational messages will be displayed!
-s, --sorting Optional. Used sorting alghoritm, currently you can choose
between 'quicksort' or 'heapsort'
-help Display this help screen.

This program reads input PCAP files and merge their content sorted by time to output file regardless to any API.

 Pseudocode:

  1. Process command line arguments;
  2. Check input PCAP files and open them for binary reading;
  3. Get basic information from PCAP files (content of general headers);
  4. Verify if same link-layer protocols are used in all PCAP files;
  5. Initialize auxiliary abstract data structure and sort its content chronologically;
  6. Create output PCAP files;
  7. Close all opened files.

Last edited Nov 8, 2012 at 4:00 PM by kvetak, version 26

Comments

No comments yet.