GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → assafmo → Joincap

assafmo / Joincap

Licence: mit
Merge multiple pcap files together, gracefully.

Programming Languages

go
31211 projects - #10 most used programming language

Labels

command-linenetworknetwork-analysisforensicscommandlinepcapsysadmin

Projects that are alternatives of or similar to Joincap

Pcapxray
❄️ PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
Stars: ✭ 1,096 (+589.31%)
Mutual labels:  network, pcap, forensics
Scapy
Scapy: the Python-based interactive packet manipulation program & library. Supports Python 2 & Python 3.
Stars: ✭ 6,932 (+4259.75%)
Mutual labels:  network, network-analysis, pcap
Daggy
Daggy - Data Aggregation Utility. Open source, free, cross-platform, server-less, useful utility for remote or local data aggregation and streaming
Stars: ✭ 91 (-42.77%)
Mutual labels:  network, network-analysis, pcap
Bruteshark
Network Analysis Tool
Stars: ✭ 1,335 (+739.62%)
Mutual labels:  network-analysis, pcap
Dna
Discourse Network Analyzer (DNA)
Stars: ✭ 73 (-54.09%)
Mutual labels:  network, network-analysis
Pentesting toolkit
🏴‍☠️ Tools for pentesting, CTFs & wargames. 🏴‍☠️
Stars: ✭ 1,268 (+697.48%)
Mutual labels:  network, forensics
Nfsen Ng
Responsive NetFlow visualizer built on top of nfdump tools.
Stars: ✭ 112 (-29.56%)
Mutual labels:  network, network-analysis
Graph sampling
Graph Sampling is a python package containing various approaches which samples the original graph according to different sample sizes.
Stars: ✭ 99 (-37.74%)
Mutual labels:  network, network-analysis
Dns Discovery
DNS-Discovery is a multithreaded subdomain bruteforcer.
Stars: ✭ 114 (-28.3%)
Mutual labels:  network, network-analysis
Brotab
Control your browser's tabs from the command line
Stars: ✭ 137 (-13.84%)
Mutual labels:  commandline, command-line
Nload
Real-time network traffic monitor
Stars: ✭ 121 (-23.9%)
Mutual labels:  network, network-analysis
Urbanaccess
A tool for GTFS transit and OSM pedestrian network accessibility analysis
Stars: ✭ 137 (-13.84%)
Mutual labels:  network, network-analysis
Networkml
Machine learning plugins for network traffic
Stars: ✭ 73 (-54.09%)
Mutual labels:  network-analysis, pcap
Swiftline
Swiftline is a set of tools to help you create command line applications.
Stars: ✭ 1,156 (+627.04%)
Mutual labels:  commandline, command-line
Potiron
Potiron - Normalize, Index and Visualize Network Capture
Stars: ✭ 66 (-58.49%)
Mutual labels:  network-analysis, pcap
Workbase
Grakn Workbase (Knowledge IDE)
Stars: ✭ 106 (-33.33%)
Mutual labels:  network, network-analysis
Ctop
Top-like interface for container metrics
Stars: ✭ 12,188 (+7565.41%)
Mutual labels:  commandline, command-line
Scale
Pharo in the shell
Stars: ✭ 41 (-74.21%)
Mutual labels:  commandline, command-line
Ntutils
Various Command Line Utilities Ported to Windows NT
Stars: ✭ 58 (-63.52%)
Mutual labels:  commandline, command-line
Libtins
High-level, multiplatform C++ network packet sniffing and crafting library.
Stars: ✭ 1,609 (+911.95%)
Mutual labels:  network, pcap
View All Similar Projects ➔

joincap

Merge multiple pcap files together, gracefully.

CircleCI Coverage Status Go Report Card GoDoc

Installation

  • Download a precompiled binary from https://github.com/assafmo/joincap/releases

  • Or... Use go get:

    go get -u github.com/assafmo/joincap

  • Or use Ubuntu PPA:

    curl -SsL https://assafmo.github.io/ppa/ubuntu/KEY.gpg | sudo apt-key add -
sudo curl -SsL -o /etc/apt/sources.list.d/assafmo.list https://assafmo.github.io/ppa/ubuntu/assafmo.list
sudo apt update
sudo apt install joincap

Basic Usage

Usage:
  joincap [OPTIONS] InFiles...

Application Options:
  -v, --verbose  Explain when skipping packets or entire input files
  -V, --version  Print the version and exit
  -w=            Sets the output filename. If the name is '-', stdout will be used (default: -)

Help Options:
  -h, --help     Show this help message

Why?

I believe skipping corrupt packets is better than failing the entire merge job.
When using tcpslice or mergecap sometimes pcapfix is needed to fix bad input pcap files.

  1. One option is to try and run merge (mergecap/tcpslice), if we get errors then run pcapfix on the bad pcaps and then run merge again.
    • Adds complexity (run -> check errors -> fix -> rerun)
    • (If errors) Demands more resources (pcapfix processes)
    • (If errors) Extends the total run time
  2. Another option is to run pcapfix on the input pcap files and then merge.
    • Extends the total run time by a lot (read and write each pcap twice instead of once)
    • Demands more storage (for the fixed pcaps)
    • Demands more resources (pcapfix processes)
  3. We can use pcapfix "in memory" with process substitution: mergecap -w out.pcap <(pcapfix -o /dev/stdout 1.pcap) <(pcapfix -o /dev/stdout 2.pcap).
    • Adds complexity (build a complex command line)
    • Demands more resources (pcapfix processes)
    • Harder for us to use pathname expansion (e.g. tcpslice -w out.pcap *.pcap)
    • We have to mind the command line character limit (in case of long pathnames)
    • Doesn't work for tcpslice (seeks the last packets to calculate time ranges - cannot do this with pipes)

Error handling: joincap vs mergecap vs tcpslice

Results

Use case joincap mergecap v2.4.5 tcpslice v1.2a3
Corrupt input global header ✔️
Corrupt input packet header ✔️
Unexpectd EOF
(last packet data is truncated)		 ✔️ ✔️ ✔️
Input pcap has no packets
(global header is ok, no first packet header)		 ✔️ ✔️
Input file size is smaller than 24 bytes
(global header is truncated)		 ✔️ ✔️
Input file size is between 24 and 40 bytes
(global header is ok, first packet header is truncated)		 ✔️
Input file doesn't exists ✔️
Input file is a directory ✔️
Input file end is garbage ✔️ ✔️
Input file is gzipped (.pcap.gz) ✔️ ✔️

Error outputs

Use case Error outputs
Corrupt input global header
  • tcpslice: bad tcpdump file test_pcaps/bad_global.pcap: archaic pcap savefile format
  • mergecap: The file "test_pcaps/bad_global.pcap" contains record data that mergecap doesn't support. (pcap: major version 0 unsupported)
Corrupt input packet header
  • tcpslice: Infinite loop?
  • mergecap: The file "test_pcaps/bad_first_header.pcap" appears to be damaged or corrupt. (pcap: File has 2368110654-byte packet, bigger than maximum of 262144)
Unexpectd EOF
(last packet data is truncated)
Input pcap has no packets
(global header is ok, no first packet header)
  • tcpslice: Outputs empty pcap (Only global header)
Input file size is smaller than 24 bytes
(global header is truncated)
  • tcpslice: bad tcpdump file test_pcaps/empty: truncated dump file; tried to read 4 file header bytes, only got 0
Input file size is between 24 and 40 bytes
(global header is ok, first packet header is truncated)
  • tcpslice: bad status reading first packet in test_pcaps/partial_first_header.pcap: truncated dump file; tried to read 16 header bytes, only got 11
  • mergecap: The file "test_pcaps/partial_first_header.pcap" appears to have been cut short in the middle of a paket.
Input file doesn't exists
  • tcpslice: bad tcpdump file ./not_here: ./not_here: No such file or directory
  • mergecap: The file "./not_here" doesn't exist.
Input file is a directory
  • tcpslice: bad tcpdump file examples: error reading dump file: Is a directory
  • mergecap: "examples" is a directory (folder), not a file.
Input file end is garbage
  • tcpslice: problems finding end packet of file test_pcaps/bad_end.pcap
Input file is gzipped (.pcap.gz)
  • tcpslice: bad tcpdump file test_pcaps/ok.pcap.gz: unknown file format

How to reproduce

Use case How to reproduce
Corrupt input global header
  • joincap -w out_joincap.pcap test_pcaps/bad_global.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/bad_global.pcap
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/bad_global.pcap
Corrupt input packet header
  • joincap -w out_joincap.pcap test_pcaps/bad_first_header.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/bad_first_header.pcap
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/bad_first_header.pcap
Unexpectd EOF
(last packet data is truncated)
  • joincap -w out_joincap.pcap test_pcaps/unexpected_eof_on_first_packet.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/unexpected_eof_on_first_packet.pcap
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/unexpected_eof_on_first_packet.pcap
  • joincap -w out_joincap.pcap test_pcaps/unexpected_eof_on_second_packet.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/unexpected_eof_on_second_packet.pcap
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/unexpected_eof_on_second_packet.pcap
Input pcap has no packets
(global header is ok, no first packet header)
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap test_pcaps/no_packets.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap test_pcaps/no_packets.pcap
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/ok.pcap test_pcaps/no_packets.pcap
Input file size is smaller than 24 bytes
(global header is truncated)
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap test_pcaps/empty
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap test_pcaps/empty
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/ok.pcap test_pcaps/empty
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap test_pcaps/partial_global_header.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap test_pcaps/partial_global_header.pcap
  • tcpslic -De -w out_tcpslice.pcap test_pcaps/ok.pcap test_pcaps/partial_global_header.pcap
Input file size is between 24 and 40 bytes
(global header is ok, first packet header is truncated)
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap test_pcaps/partial_first_header.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap test_pcaps/partial_first_header.pcap
  • tcpslic -De -w out_tcpslice.pcap test_pcaps/ok.pcap test_pcaps/partial_first_header.pcap
Input file doesn't exists
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap ./not_here
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap ./not_here
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/ok.pcap ./not_here
Input file is a directory
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap test_pcaps/
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap test_pcaps/
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/ok.pcap test_pcaps/
Input file end is garbage
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap test_pcaps/bad_end.pcap
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap test_pcaps/bad_end.pcap
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/ok.pcap test_pcaps/bad_end.pcap
Input file is gzipped (.pcap.gz)
  • joincap -w out_joincap.pcap test_pcaps/ok.pcap.gz
  • mergecap -w out_mergecap.pcap test_pcaps/ok.pcap.gz
  • tcpslice -D -w out_tcpslice.pcap test_pcaps/ok.pcap.gz

Benchmarks

Version Speed Time
mergecap 3.2.2 590MiB/s 0m5.632s
tcpslice 1.2a3 838MiB/s 0m3.666s
joincap 0.10.2 562MiB/s 0m5.462s
  • Merging 3 files with total size of 2.99994GiB.
  • Running on Linux 5.4.0-21-generic, with Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz (with SSE4.2), with 31765 MB of physical memory, with locale C, with zlib 1.2.11.
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].