Often a phone call (or data stream) can span multiple capture files. This is especially true when setting a small file size in your CLI capture syntax. Mergecap will allow you to merge multiple files into one.
Assuming that mergecap is in your PATH, you can execute the following:
mergecap -w OUTPUTFILE .pcap inputfile1.pcap inputfile2.pcap inputfile3.pcap
You can also use regular expressions to cut down the amount of typing.
In the below image, I used ls, awk and grep to cut out file permissions from the output. Don’t worry about that. Just notice that I have four files that match the expression. Three of the four files are roughly 20M each. The other file is 142K.
I then executed the mergecap program and specified “mergefile.pcap” as the output filename. After the output name I have specified which files to use as the input. Notice that I used a regular expression to match all files that contain with “85848_BRAU_125 and then have 0, 1 , 2 or 3 as the next character in the name.
About 3 seconds later the files are merged. Note: This is MUCH quicker than merging from the GUI Wireshark screen.
After the merge I have a single file of 59M.
Networking and VOIP notes 