cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Script to merge AMD HS capture files (nfdump command)

raffaele_talari
Inactive

Hi there,

I'd like to share a little .bat script that is helpful when dealing with the output of the nfdump command on the AMD HS. As you are aware, with the AMD HS the default capture command is not tcpdump anymore but nfdump (rcon AMD commands console) . The difference between tcpdump and nfdump is the following:

"The result of nfdump traffc capture is a number of pcap files, one per each CPU worker thread involved in the capture. The pcap filename contains a unique filter id assigned to each capture."

So, to start your diagnostics, you should merge your capture files into one convenient file. To do so,you need to merge the output files located in /var/spool/adlex/spc/. They have a unique filter id and they should look like this:

spc.pcap.id.0000000004.th-01
spc.pcap.id.0000000004.th-02
...

So, to merge such files you have different options but the most popular one is without any doubt using a Wireshark application part called "mergecap.exe".

If you're running Wireshark on Linux it's not a big deal, move to /var/spool/adlex/spc/ and type one the following commands (including the right set of capture files with the wildcard):

mergecap -v spc.pcap.*.pcap -w merged_output_file.pcap

or

mergecap -v *.pcap -w merged_output_file.pcap

But if you're running Wireshark on Windows (i.e. because you didn't install it or you couldn't install it on the linux AMD) things can get too long...That's why I've created a little script to help you merging the output capture files instantly.

The body of the script is the following (copy and paste it, rename it as merge_capture.bat and put it in the folder where you copied your capture files):

setlocal enabledelayedexpansion
set capturefiles=
for %%f in (*.pcap) do set capturefiles=!capturefiles! %%f
Cmd /V:on /c "C:\Program Files\Wireshark\mergecap.exe" -w merged_capture.pcap %capturefiles%

once you have the merge_capture.bat copy and paste it in your dumps directory and just execute it from the command line:

merge_capture.bat

The result will be a "merged_capture.pcap" file containing the merged capture files ready to be opened in Wireshark to be analyzed.

The v2 of this script, as suggested by @ulf t., is the one where you can specify the filename you would like to give to the merged file as the first argument when executing merge_capture.bat:

setlocal enabledelayedexpansion
set capturefiles=
for %%f in (*.pcap) do set capturefiles=!capturefiles! %%f
Cmd /V:on /c "C:\Program Files\Wireshark\mergecap.exe" -w %1.pcap %capturefiles%

So, instead, you need to execute the following command from the cmd line:

merge_capture.bat MyMergedCaptureFileName

Hope that helps.

Please let me know if you have any questions or comments.

Ciao,

Raff

5 REPLIES 5

jaroslaw_orlows
Dynatrace Pro
Dynatrace Pro

Great input! Do you think the Windows scenario is frequent enough to have it documented in the nfdump command topic?

One comment. Would it be a good idea to enhance the script with filter id recognition, so that the script merges only the pcap files from the same capture process?

Hi @Jaroslaw O.,

in the last 2 weeks I've seen it happening 3 times at 3 different accounts..so I guess it is frequent enough to have it documented in the nfdump topic.

Yeah I thought about that and actually there are many ways to improve the script but what it is more important to me is having a fast and simple script to execute or even double-click on it and have the output ready rather than having a more complex but powerful script that needs input parameters and some work on it.

Anyway feel free to share the enhancement on the script, it's always better having options than none at all. 🙂

Cheers,

Raff

Very neat Raff!

Can I suggest a small change?

CMD /V:on /c "C:\Program files\wireshark\mergecap.exe" -w %1.pcap %capturefiles%

So when you call the BAT file , you use a name like "merge_capture.bat SAP" wich will give you a file named SAP.PCAP. Else you will have a problem with the files all being named the same or worse, overwritten.

Thanks for the suggestion, @ulf t.!

I'm updating the post.

Cheers,

Raff

adam_piotrowicz
Dynatrace Pro
Dynatrace Pro

Please keep in mind that since 12.4.12 RUM Console does th same when you use:

link.