When you install Trisul Network Analytics , you get a free command line tool called trisul_ixmgtool

This tool has a unique capability to squish PCAP files that is very handy to create fat pcap files useful for testing.

A FAT pcap file contains more unique flows and endpoints than a THIN pcap file.

While testing NSM¹⁾ platforms we look for FAT pcap files because it stresses the memory and performance of algorithms. Given a 10GB thin PCAP file with just 1 flow, and a 1GB fat PCAP file with 100K flows - you should prefer the FAT file for testing.

FAT PCAP files can be hard to obtain. You might get them from large corporate border networks for private use, but in general it is quite hard to come across these.

With the trisul_ixmgtool you can merge multiple thin PCAPs into a single fat PCAP file.

Mergecap is a command line utility from the wireshark project. It also combines multiple thin PCAP files into a single fat PCAP file. But it preserves the timestamps, hence works to fatten the output PCAP if there is significant overlap in the time windows.

trisul_ixmgtool when run with the squish option , aligns the timestamps of the files to the lowest timestamp and then processes the merge. The following diagram illustrates the difference between mergecap and ixmgtool

To get the free ixmgtool install Trisul Probe , you will find the trisul_ixmgtool in /usr/local/bin