Hans Nilsson wrote:
How complicated is it to merge two capture files? Do you have to change
much data in them or basically strip the headers of the second file and
then append it to the first?
The answer to both of them is "no", because merging doesn't mean
changing the data in the packets, but it also doesn't mean
concatenating, it means *merging*, which is, by default, done by time
stamp, so the packets are sorted by time stamp (under the assumption
that the input files are sorted by time stamp).
It also can mean changing the per-packet record headers, as you might be
merging two different types of capture files, e.g. a libpcap-format file
and a Sniffer-format file.
Therefore, merging involves reading all the input files and writing out
a single output file.