Readme for tcpdmerge tcpdmerge: Merging two dumpfiles "tcpdmerge" tool merges two dumpfiles based on the packet arrival times. The technique is very simple. It just sorts the timestamp part of two dumpfiles. For example, prompt% tcpdump -nttr file1.log 977231921.235979 192.169.1.1.1023 > 192.168.2.2.54396: udp 92 (DF) 977231921.238222 192.169.1.1.1023 > 192.168.2.2.54396: udp 96 (DF) 977231921.240246 192.169.1.1.1023 > 192.168.2.2.54396: udp 88 (DF) prompt% tcpdump -nttr file2.log 977231921.232584 192.168.2.2.54396 > 192.169.1.1.1023: udp 68 (DF) 977231921.236564 192.168.2.2.54396 > 192.169.1.1.1023: udp 80 (DF) 977231921.238585 192.168.2.2.54396 > 192.169.1.1.1023: udp 80 (DF) The above two dumpfiles (file1.log and file2.log) are tcpdmerg(ed) and the following file is created. prompt% tcpdmerge -w join.log file1.log file2.log prompt% tcpdump -nttr join.log 977231921.232584 192.168.2.2.54396 > 192.169.1.1.1023: udp 68 (DF) 977231921.235979 192.169.1.1.1023 > 192.168.2.2.54396: udp 92 (DF) 977231921.236564 192.168.2.2.54396 > 192.169.1.1.1023: udp 80 (DF) 977231921.238222 192.169.1.1.1023 > 192.168.2.2.54396: udp 96 (DF) 977231921.238585 192.168.2.2.54396 > 192.169.1.1.1023: udp 80 (DF) 977231921.240246 192.169.1.1.1023 > 192.168.2.2.54396: udp 88 (DF) In a FullDuplex link, the upward and downward traffic are sometimes dumped separately. "tcpdmerge" can help merge these two files into one. Even when a dumped file is sliced by some time interval, this tool can be useful joinning the files. Usage: 1) Merge file1.log and file2.log then save to join.log prompt% tcpdmerge -w join.log file1.log file2.log 2)Show Standard Ouput and pass to tcpdump prompt% tcpdmerge file1.log file2.log | tcpdump -r - "tcpdmerge" works nice on Solaris and FreeBSD. Source code is available here (http://phantom.nemoto.ecei.tohoku.ac.jp/~akiraka/tcpdmerge/), and you have to install libpcap (http://ee.lbl.gov/) beforehand. Notes: 1. A tool "pcapmerge" (http://indev.insu.com/Fwctl/pcapmerge.html) is available to meet the same purpose, but it consumes more time and memory. See the following experiment. Experiment Merge two 30 minute data files dump_in.log 71648148 byte dump_out.log 12553036 byte [tcpdmerge] prompt% time tcpdmerge -w tcpdmerge.log dump_in.log dump_out.log PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 20649 akiraka 1 60 0 976K 648K sleep 0:04 7.28% 3.15u 5.13s 0:34.47 24.0% (around 34 seconds) ~~~~~~~ [pcapmerge] prompt% time ./pcapmerge -w pcapmerge.log -r dump_in.log -r dump_out.log PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND 17295 akiraka 3 20 0 263M 262M cpu/1 5:43 48.29% pcapmerge 3785.11u 16.14s 1:09:05.29 91.7% (around 69 minutes) ~~~~~~~ 2. Dumpfiles of different physical layers may not be merged. 3. This is alpha version source code. Please look forward to more stable version :-). KANAMARU Akira (akiraka@nemoto.ecei.tohoku.ac.jp) Ahmed Ashir (babu@shiratori.riec.tohoku.ac.jp)