mergecap(1) — Linux manual page

NAME | SYNOPSIS | DESCRIPTION | OPTIONS | DIAGNOSTIC OPTIONS | EXAMPLES | SEE ALSO | NOTES | AUTHORS

MERGECAP(1)                                                   MERGECAP(1)

NAME         top

       mergecap - Merges two or more capture files into one

SYNOPSIS         top

       mergecap [ -a ] [ -F <file format> ] [ -I <IDB merge mode> ] [ -s
       <snaplen> ] [ -V ] -w <outfile>|- <infile> [<infile> ...]

       mergecap -h|--help

       mergecap -v|--version

DESCRIPTION         top

       Mergecap is a program that combines multiple saved capture files
       into a single output file specified by the -w argument. Mergecap
       knows how to read pcap and pcapng capture files, including those
       of tcpdump, Wireshark and other tools that write captures in those
       formats.

       By default, Mergecap writes the capture file in pcapng format, and
       writes all of the packets from the input capture files to the
       output file.

       Mergecap is able to detect, read and write the same capture files
       that are supported by Wireshark. The input files don’t need a
       specific filename extension; the file format and an optional gzip,
       zstd or lz4 compression will be automatically detected. Near the
       beginning of the DESCRIPTION section of wireshark(1) or
       https://www.wireshark.org/docs/man-pages/wireshark.html is a
       detailed description of the way Wireshark handles this, which is
       the same way Mergecap handles this.

       Mergecap can write the file in several output formats. The -F flag
       can be used to specify the format in which to write the capture
       file, mergecap -F provides a list of the available output formats.

       Packets from the input files are merged in chronological order
       based on each frame’s timestamp, unless the -a flag is specified.
       Mergecap assumes that frames within a single capture file are
       already stored in chronological order. When the -a flag is
       specified, packets are copied directly from each input file to the
       output file, independent of each frame’s timestamp.

       The output file frame encapsulation type is set to the type of the
       input files if all input files have the same type. If not all of
       the input files have the same frame encapsulation type, the output
       file type is set to WTAP_ENCAP_PER_PACKET. Note that some capture
       file formats, most notably pcap, do not currently support
       WTAP_ENCAP_PER_PACKET. This combination will cause the output file
       creation to fail.

OPTIONS         top

       -a

           Causes the frame timestamps to be ignored, writing all packets
           from the first input file followed by all packets from the
           second input file. By default, when -a is not specified, the
           contents of the input files are merged in chronological order
           based on each frame’s timestamp.

           Note: when merging, mergecap assumes that packets within a
           capture file are already in chronological order.

       -F  <file format>

           Sets the file format of the output capture file. Mergecap can
           write the file in several formats; mergecap -F provides a list
           of the available output formats. By default this is the pcapng
           format.

       -h|--help
           Print the version number and options and exit.

       -I  <IDB merge mode>

           Sets the Interface Description Block (IDB) merge mode to use
           during merging. mergecap -I provides a list of the available
           IDB merge modes.

           Every input file has one or more IDBs, which describe the
           interface(s) the capture was performed on originally. This
           includes encapsulation type, interface name, etc. When
           mergecap merges multiple input files, it has to merge these
           IDBs somehow for the new merged output file. This flag
           controls how that is accomplished. The currently available
           modes are:

           none: No merging of IDBs is performed, and instead all IDBs
           are copied to the merged output file.

           all: IDBs are merged only if all input files have the same
           number of IDBs, and each IDB matches their respective entry in
           the other files. (Only the IDBs that occur at the beginning of
           the files, before any packet blocks, are compared. IDBs that
           occur later in the files are merged with duplicates iff the
           initial IDBs were merged.) This is the default mode.

           any: Any and all duplicate IDBs are merged into one IDB,
           regardless of what file they are in.

           Note that an IDB is only considered a matching duplicate if it
           has the same encapsulation type, name, speed, time precision,
           comments, description, etc.

       -s  <snaplen>

           Sets the snapshot length to use when writing the data. If the
           -s flag is used to specify a snapshot length, frames in the
           input file with more captured data than the specified snapshot
           length will have only the amount of data specified by the
           snapshot length written to the output file. This may be useful
           if the program that is to read the output file cannot handle
           packets larger than a certain size (for example, the versions
           of snoop in Solaris 2.5.1 and Solaris 2.6 appear to reject
           Ethernet frames larger than the standard Ethernet MTU, making
           them incapable of handling gigabit Ethernet captures if jumbo
           frames were used).

       -v|--version
           Print the full version information and exit.

       -V
           Causes mergecap to print a number of messages while it’s
           working.

       -w  <outfile>|-
           Sets the output filename. If the name is '-', stdout will be
           used. If the --compress option is not given, then the filename
           extension is used to deduce the desired compression method, if
           any; e.g., if the name has the extension '.gz', then the
           output file is compressed to a gzip archive. This setting is
           mandatory.

       --compress <type>

           Compress the output file using the type compression format.
           --compress with no argument provides a list of the compression
           formats supported for writing. The type given takes precedence
           over the extension of outfile.

DIAGNOSTIC OPTIONS         top

       --log-level <level>
           Set the active log level. Supported levels in lowest to
           highest order are "noisy", "debug", "info", "message",
           "warning", "critical", and "error". Messages at each level and
           higher will be printed, for example "warning" prints
           "warning", "critical", and "error" messages and "noisy" prints
           all messages. Levels are case insensitive.

       --log-fatal <level>
           Abort the program if any messages are logged at the specified
           level or higher. For example, "warning" aborts on any
           "warning", "critical", or "error" messages.

       --log-domains <list>
           Only print messages for the specified log domains, e.g.
           "GUI,Epan,sshdump". List of domains must be comma-separated.
           Can be negated with "!" as the first character (inverts the
           match).

       --log-debug <list>
           Force the specified domains to log at the "debug" level. List
           of domains must be comma-separated. Can be negated with "!" as
           the first character (inverts the match).

       --log-noisy <list>
           Force the specified domains to log at the "noisy" level. List
           of domains must be comma-separated. Can be negated with "!" as
           the first character (inverts the match).

       --log-fatal-domains <list>
           Abort the program if any messages are logged for the specified
           log domains. List of domains must be comma-separated.

       --log-file <path>
           Write log messages and stderr output to the specified file.

EXAMPLES         top

       To merge two capture files together into a third capture file, in
       which the last packet of one file arrives 100 seconds before the
       first packet of another file, use the following sequence of
       commands.

       First, use:

           capinfos -aeS a.pcap b.pcap

       to determine the start and end times of the two capture files, as
       seconds since January 1, 1970, 00:00:00 UTC.

       If a.pcap starts at 1009932757 and b.pcap ends at 873660281, then
       the time adjustment to b.pcap that would make it end 100 seconds
       before a.pcap begins would be 1009932757 - 873660281 - 100 =
       136272376 seconds.

       Thus, the next step would be to use:

           editcap -t 136272376 b.pcap b-shifted.pcap

       to generate a version of b.pcap with its time stamps shifted
       136272376 ahead.

       Then the final step would be to use :

           mergecap -w compare.pcap a.pcap b-shifted.pcap

       to merge a.pcap and the shifted b.pcap into compare.pcap.

SEE ALSO         top

       pcap(3), wireshark(1), tshark(1), dumpcap(1), editcap(1),
       text2pcap(1), pcap-filter(7) or tcpdump(8)

NOTES         top

       Mergecap is based heavily upon editcap by Richard Sharpe
       <sharpe[AT]ns.aus.com> and Guy Harris <guy[AT]alum.mit.edu>.

       This is the manual page for Mergecap 4.5.0. Mergecap is part of
       the Wireshark distribution. The latest version of Wireshark can be
       found at https://www.wireshark.org.

       HTML versions of the Wireshark project man pages are available at
       https://www.wireshark.org/docs/man-pages.

AUTHORS         top

       Original Author
       Scott Renfro <scott[AT]renfro.org>

       Contributors
       Bill Guyton <guyton[AT]bguyton.com>.SH COLOPHON This page is part
       of the wireshark (Interactively dump and analyze network traffic)
       project. Information about the project can be found at 
       ⟨https://www.wireshark.org/⟩. If you have a bug report for this
       manual page, see
       ⟨https://gitlab.com/wireshark/wireshark/-/issues⟩. This page was
       obtained from the project's upstream Git repository
       ⟨https://gitlab.com/wireshark/wireshark.git⟩ on 2025-08-11. (At
       that time, the date of the most recent commit that was found in
       the repository was 2025-08-11.) If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

                                2025-03-07                    MERGECAP(1)

Pages that refer to this page: capinfos(1)captype(1)dumpcap(1)editcap(1)reordercap(1)stratoshark(1)text2pcap(1)tshark(1)wireshark(1)netsniff-ng(8)