I'm trying to merge numerous pcap files together for post-processing after capture, however, I need to retain information about the source file of each packet (the file name contains information about the network tap source). This information isn't available anywhere in the packets themselves. My idea is to use the convenience of pcapng which allows adding a frame comment (frame.comment) to a packet and which can be done programmatically using editcap. I could use this to add information from the file name to each packet that would be carried forward into the merged file. However it seems that editcap only allows you to add comments to specific frames editcap -a <framenumber>:<comment> but not a range of frames. Doing this manually isn't a viable option as I am dealing with a lot of large pcap files. Ideas?
This will save the filename as a comment to every packet in every pcap, recursively. If you only need to do this to one file, remove the outer for loop.
for f in $(find *.pcap); do
num_frames=$(capinfos -rcT "$f" | awk '{ print $NF }')
for i in $(seq 1 $num_frames); do
editcap "$f" "$f" -a "$i:$f"
done
done
find *.pcap will recursively find all pcap-type files in this directorycapinfos is a wireshark CLI tool like wireshark that provides info on capturesNote that you could dynamically include some other comment instead, like timestamp.