assafmo / Joincap
Licence: mit
Merge multiple pcap files together, gracefully.
Stars: ✭ 159
Programming Languages
go
31211 projects - #10 most used programming language
Projects that are alternatives of or similar to Joincap
Pcapxray
❄️ PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
Stars: ✭ 1,096 (+589.31%)
Mutual labels: network, pcap, forensics
Scapy
Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
Stars: ✭ 6,932 (+4259.75%)
Mutual labels: network, network-analysis, pcap
Daggy
Daggy - Data Aggregation Utility. Open source, free, cross-platform, server-less, useful utility for remote or local data aggregation and streaming
Stars: ✭ 91 (-42.77%)
Mutual labels: network, network-analysis, pcap
Pentesting toolkit
🏴☠️ Tools for pentesting, CTFs & wargames. 🏴☠️
Stars: ✭ 1,268 (+697.48%)
Mutual labels: network, forensics
Nfsen Ng
Responsive NetFlow visualizer built on top of nfdump tools.
Stars: ✭ 112 (-29.56%)
Mutual labels: network, network-analysis
Graph sampling
Graph Sampling is a python package containing various approaches which samples the original graph according to different sample sizes.
Stars: ✭ 99 (-37.74%)
Mutual labels: network, network-analysis
Dns Discovery
DNS-Discovery is a multithreaded subdomain bruteforcer.
Stars: ✭ 114 (-28.3%)
Mutual labels: network, network-analysis
Brotab
Control your browser's tabs from the command line
Stars: ✭ 137 (-13.84%)
Mutual labels: commandline, command-line
Nload
Real-time network traffic monitor
Stars: ✭ 121 (-23.9%)
Mutual labels: network, network-analysis
Urbanaccess
A tool for GTFS transit and OSM pedestrian network accessibility analysis
Stars: ✭ 137 (-13.84%)
Mutual labels: network, network-analysis
Networkml
Machine learning plugins for network traffic
Stars: ✭ 73 (-54.09%)
Mutual labels: network-analysis, pcap
Swiftline
Swiftline is a set of tools to help you create command line applications.
Stars: ✭ 1,156 (+627.04%)
Mutual labels: commandline, command-line
Potiron
Potiron - Normalize, Index and Visualize Network Capture
Stars: ✭ 66 (-58.49%)
Mutual labels: network-analysis, pcap
Workbase
Grakn Workbase (Knowledge IDE)
Stars: ✭ 106 (-33.33%)
Mutual labels: network, network-analysis
Ctop
Top-like interface for container metrics
Stars: ✭ 12,188 (+7565.41%)
Mutual labels: commandline, command-line
Ntutils
Various Command Line Utilities Ported to Windows NT
Stars: ✭ 58 (-63.52%)
Mutual labels: commandline, command-line
Libtins
High-level, multiplatform C++ network packet sniffing and crafting library.
Stars: ✭ 1,609 (+911.95%)
Mutual labels: network, pcap
joincap
Merge multiple pcap files together, gracefully.
Installation
-
Download a precompiled binary from https://github.com/assafmo/joincap/releases
-
Or... Use
go get
:go get -u github.com/assafmo/joincap
-
Or use Ubuntu PPA:
curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg | sudo apt-key add - sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.list sudo apt update sudo apt install joincap
Basic Usage
Usage:
joincap [OPTIONS] InFiles...
Application Options:
-v, --verbose Explain when skipping packets or entire input files
-V, --version Print the version and exit
-w= Sets the output filename. If the name is '-', stdout will be used (default: -)
Help Options:
-h, --help Show this help message
Why?
I believe skipping corrupt packets is better than failing the entire merge job.
When using tcpslice
or mergecap
sometimes pcapfix
is needed to fix bad input pcap files.
- One option is to try and run merge (
mergecap
/tcpslice
), if we get errors then runpcapfix
on the bad pcaps and then run merge again.- Adds complexity (run -> check errors -> fix -> rerun)
- (If errors) Demands more resources (
pcapfix
processes) - (If errors) Extends the total run time
- Another option is to run
pcapfix
on the input pcap files and then merge.- Extends the total run time by a lot (read and write each pcap twice instead of once)
- Demands more storage (for the fixed pcaps)
- Demands more resources (
pcapfix
processes)
- We can use
pcapfix
"in memory" with process substitution:mergecap -w out.pcap <(pcapfix -o /dev/stdout 1.pcap) <(pcapfix -o /dev/stdout 2.pcap)
.- Adds complexity (build a complex command line)
- Demands more resources (
pcapfix
processes) - Harder for us to use pathname expansion (e.g.
tcpslice -w out.pcap *.pcap
) - We have to mind the command line character limit (in case of long pathnames)
- Doesn't work for
tcpslice
(seeks the last packets to calculate time ranges - cannot do this with pipes)
joincap
vs mergecap
vs tcpslice
Error handling: Results
Use case | joincap | mergecap v2.4.5 | tcpslice v1.2a3 |
---|---|---|---|
Corrupt input global header | ✔️ | ❌ | ❌ |
Corrupt input packet header | ✔️ | ❌ | ❌ |
Unexpectd EOF (last packet data is truncated) |
✔️ | ✔️ | ✔️ |
Input pcap has no packets (global header is ok, no first packet header) |
✔️ | ✔️ | ❌ |
Input file size is smaller than 24 bytes (global header is truncated) |
✔️ | ✔️ | ❌ |
Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated) |
✔️ | ❌ | ❌ |
Input file doesn't exists | ✔️ | ❌ | ❌ |
Input file is a directory | ✔️ | ❌ | ❌ |
Input file end is garbage | ✔️ | ✔️ | ❌ |
Input file is gzipped (.pcap.gz) | ✔️ | ✔️ | ❌ |
Error outputs
Use case | Error outputs |
---|---|
Corrupt input global header |
|
Corrupt input packet header |
|
Unexpectd EOF (last packet data is truncated) |
|
Input pcap has no packets (global header is ok, no first packet header) |
|
Input file size is smaller than 24 bytes (global header is truncated) |
|
Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated) |
|
Input file doesn't exists |
|
Input file is a directory |
|
Input file end is garbage |
|
Input file is gzipped (.pcap.gz) |
|
How to reproduce
Use case | How to reproduce |
---|---|
Corrupt input global header |
|
Corrupt input packet header |
|
Unexpectd EOF (last packet data is truncated) |
|
Input pcap has no packets (global header is ok, no first packet header) |
|
Input file size is smaller than 24 bytes (global header is truncated) |
|
Input file size is between 24 and 40 bytes (global header is ok, first packet header is truncated) |
|
Input file doesn't exists |
|
Input file is a directory |
|
Input file end is garbage |
|
Input file is gzipped (.pcap.gz) |
|
Benchmarks
Version | Speed | Time | |
---|---|---|---|
mergecap | 3.2.2 | 590MiB/s | 0m5.632s |
tcpslice | 1.2a3 | 838MiB/s | 0m3.666s |
joincap | 0.10.2 | 562MiB/s | 0m5.462s |
- Merging 3 files with total size of 2.99994GiB.
- Running on Linux 5.4.0-21-generic, with Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (with SSE4.2), with 31765 MB of physical memory, with locale C, with zlib 1.2.11.
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].