How to Combine Packet Capture Files
After taking packet captures on the Transmit and Receive stages of the firewall's packet capture function, it is often not possible to follow a TCP stream. This is usually because of NAT rules which cause the source port to change.
A default Wireshark (www.wireshark.org) install includes several command line utilities, one of which is called Mergecap. By combining the Transmit and Receive captures together, more of the Wireshark analysis functions can be used including following streams.
To merge two (or more) packet captures together, ensure mergecap is in your path or place your captures into the Wireshark install folder. Navigate to the folder where the captures are, and enter the following command:
mergecap.exe -w combined.pcap transmit.pcap receive.pcap
This will merge transmit.pcap and receive.pcap into combined.pcap. Once combined.pcap is opened, following the TCP streams will work properly. Filtering out one side of the communication regardless if it was transmitted or received will also work properly.