Palo Alto Networks Knowledgebase: How to Combine Packet Capture Files

How to Combine Packet Capture Files

1933
Created On 02/08/19 00:02 AM - Last Updated 02/08/19 00:02 AM
Resolution

Issue

After taking packet captures on the Transmit and Receive stages of the firewall's packet capture function, it is often not possible to follow a TCP stream. This is usually because of NAT rules which cause the source port to change.

Resolution

A default Wireshark (www.wireshark.org) install includes several command line utilities, one of which is called Mergecap. By combining the Transmit and Receive captures together, more of the Wireshark analysis functions can be used including following streams.

To merge two (or more) packet captures together, ensure mergecap is in your path or place your captures into the Wireshark install folder. Navigate to the folder where the captures are, and enter the following command:

mergecap.exe -w combined.pcap transmit.pcap receive.pcap

This will merge transmit.pcap and receive.pcap into combined.pcap. Once combined.pcap is opened, following the TCP streams will work properly. Filtering out one side of the communication regardless if it was transmitted or received will also work properly.

owner: gwesson



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYTCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language