Chris Swinney wrote:
Hi,
I have taken a capture on two different machines from an in-line network
tap (one to capture upstream, one to capture downstream data). I now
need to merge these file, but when I ask Wireshark to merge them
chronologically, it seems to merge them based on the initial time taken
into the capture, not the actual capture time.
I have tried to mitigate time differences by synching both machines to
an NTP server, but of course both captures are themselves started a
different times. How can I best accomplish what I want? I�ve had a look
at mergecap (as well as the inbuilt merge facility as shown above), but
am not sure if this will still do what I�m after.
Maybe I'm being naive here but I would expect a "chronological merge" to
merge the packets based on their (absolute) timestamps (that is, based
on the time stamp of each packet--which is in secs+usecs since the
epoch), not based on seconds since the beginning of the capture file.
(In fact I merge capture files quite frequently so I somewhat depend on
this functionality.)
Questions:
- what version of Wireshark are you using?
- what is your time display format (time of day, seconds since beginning
of capture, etc.)? Not that it should matter, but...