Differences

This shows you the differences between two versions of the page.

--- pcaps:ixmgtool [2019/04/13 19:18] – [Example run] veera
+++ pcaps:ixmgtool [2019/04/15 16:48] – [How is it different from mergecap] veera
@@ Line 1: / Line 1: @@
-====== Merge multiple thin PCAP files into a single thick PCAP ======
+====== Merge multiple thin PCAP files into a single fat PCAP ======
 When you install Trisul Network Analytics , you get a free command line tool called ''trisul_ixmgtool''
@@ Line 20: / Line 20: @@
 Mergecap  is a command line [[https://www.wireshark.org/docs/man-pages/mergecap.html|utility from the wireshark]] project.  It also combines multiple thin PCAP files into a single  fat PCAP file. But it preserves the timestamps, hence works to //fatten// the output PCAP //only//  if there is significant overlap in the time windows.
-trisul_ixmgtool when run with the squish option , aligns the timestamps  of the files to the lowest timestamp and then processes the merge.  The following diagram illustrates the difference between mergecap and ixmgtool
+trisul_ixmgtool when run with the squish option , aligns the timestamps  of the files to the lowest timestamp and then processes the merge.  The following diagram illustrates the difference between mergecap and ixmgtool.
 {{:pcaps:ixmgtool.png |}}
+You can think of ixmgtool as combining the following three  operations
+  - Find the lowest timestamp from all the pcap files, and compute the deltas for each file
+  - Run ''editcap -t delta'' to transform the timestamps of each file
+  - Run ''mergecap'' on the transformed pcap files
 ====== Using trisul_ixmgtool ======