1
00:00:00,000 --> 00:00:07,800


2
00:00:07,800 --> 00:00:09,800
Welcome back.

3
00:00:09,800 --> 00:00:13,259
We will be discussing the merging of data,

4
00:00:13,259 --> 00:00:16,248
the use of multiple files and so on and so forth

5
00:00:16,248 --> 00:00:19,465
with Wireshark and why this is important

6
00:00:19,465 --> 00:00:23,836
when you're running captures 
and trying to analyze data.

7
00:00:23,836 --> 00:00:29,967
One of the things to highlight is that 
why we would merge files?

8
00:00:29,962 --> 00:00:36,495
So, if I had collected data from a source
and I collected data from a destination,

9
00:00:36,495 --> 00:00:41,015
to merge these files specifically, 
I would need to know

10
00:00:41,015 --> 00:00:43,211
some pretty important things about them.

11
00:00:43,211 --> 00:00:45,418
For example, I have different options.

12
00:00:45,420 --> 00:00:53,061
I could prepend it so that when I merge 
the files, one file will go before the other file.

13
00:00:53,061 --> 00:00:57,168
And it won't be merged chronologically.

14
00:00:57,168 --> 00:00:59,660
Or I can append it, it would be after.

15
00:00:59,660 --> 00:01:03,087
Or I can merge them chronologically together.

16
00:01:03,087 --> 00:01:06,196
So there's 3 main options and reasons to do this.

17
00:01:06,189 --> 00:01:10,957
So, if you want to just side by side views of data,

18
00:01:10,961 --> 00:01:15,111
then you would obviously pick pre or append options.

19
00:01:15,111 --> 00:01:20,331
But if you wanted to merge them together 
in a way where you can look at the files in one

20
00:01:20,331 --> 00:01:24,499
chronological list, then you would 
merge them chronologically.

21
00:01:24,499 --> 00:01:31,518
So very important, when you're looking at files 
and I'll give you an example of that in Wireshark.

22
00:01:31,532 --> 00:01:34,457
So, in our example here,

23
00:01:34,471 --> 00:01:40,133
obviously I want to first see what files 
it is that I'm thinking of merging.

24
00:01:40,133 --> 00:01:44,186
And I can go to file and file set.

25
00:01:44,186 --> 00:01:50,392
I specifically am using a capture 
where I have a large amount of 

26
00:01:50,392 --> 00:01:56,489
files that basically are all in order of capture.

27
00:01:56,489 --> 00:02:00,910
And I can switch between them
 to review them if I need to.

28
00:02:00,910 --> 00:02:09,644
But if I wanted to merge them, I could append 
them each to one file with the merge option.

29
00:02:09,649 --> 00:02:12,701
So there's reasons here why you want to do this.

30
00:02:12,701 --> 00:02:17,310
Obviously, the 2 main reasons would be 

31
00:02:17,310 --> 00:02:20,681
that you had ran capture and split up some data.

32
00:02:20,681 --> 00:02:25,739
And then you want to put it all back in 
one capture and analyze it in one chunk.

33
00:02:25,739 --> 00:02:30,567
Or you would want take 2 different captures and 

34
00:02:30,567 --> 00:02:33,408
maybe merge so that you could take a look 

35
00:02:33,408 --> 00:02:40,244
specifically at what it is that 
you were looking to add together.

36
00:02:40,244 --> 00:02:43,798
So to merge very simply, file merge.

37
00:02:43,798 --> 00:02:49,437
Select the files and combine them together.
It's a very simple operation,

38
00:02:49,440 --> 00:02:52,975
and once you're done,
you will be able to either append,

39
00:02:52,967 --> 00:02:59,544
prepend, or chronologically merge the data together.

40
00:02:59,544 --> 00:03:02,974
You can also use the command line to do this.

41
00:03:02,968 --> 00:03:07,446
Mergecap will allow you to merge 
files at the command line.

42
00:03:07,446 --> 00:03:11,978
Again, you would want to type man
mergecap so that you could see 

43
00:03:11,986 --> 00:03:16,636
what options or switches available to you to

44
00:03:16,636 --> 00:03:20,494
to perform an append or a prepend, as an example.

45
00:03:20,494 --> 00:03:26,156
So just remember that you can also do 
these options directly at the command line.

46
00:03:26,156 --> 00:03:32,309
And then once you do merge the data, 
you can select specifically, 

47
00:03:32,309 --> 00:03:34,609
as you can see in the options here.

48
00:03:34,609 --> 00:03:38,323
Do I want to prepend the packets to an existing file?

49
00:03:38,323 --> 00:03:41,825
Do I want to merge the packets chronologically?

50
00:03:41,825 --> 00:03:45,054
Or do I want to append the packets to an existing file?

51
00:03:45,054 --> 00:03:47,280
Again, there's reasons for doing each.

52
00:03:47,270 --> 00:03:52,314
If you've recorded a list, 
again when we were talking about the 

53
00:03:52,314 --> 00:03:59,269
the slicing up of a pre-capture option setting 
and I want to have a few files 

54
00:03:59,266 --> 00:04:03,341
and now I want to combine them. 
This might be an option to do so

55
00:04:03,341 --> 00:04:08,208
and or if I'm troubleshooting a network and
I need to look at everything in one capture,

56
00:04:08,208 --> 00:04:13,487
I may want to append, prepend or merge chronologically.

57
00:04:13,487 --> 00:04:17,259
Just want to take a moment to 
thank everybody for their participation in 

58
00:04:17,275 --> 00:04:19,981
INE's Wireshark Foundations.

59
00:04:19,976 --> 00:04:28,233
It was a chance for us at INE to give you
the student exactly what you would need 

60
00:04:28,233 --> 00:04:33,264
to work with Wireshark out of the box 
to get it up and running 

61
00:04:33,264 --> 00:04:34,908
and to get moving with it.

62
00:04:34,908 --> 00:04:38,608
So our goal was to give you a set of classes 

63
00:04:38,608 --> 00:04:43,733
that allowed you to move from basic knowledge

64
00:04:43,733 --> 00:04:48,421
to a more advanced level and
 to get the hang of using Wireshark

65
00:04:48,421 --> 00:04:52,958
more from a field perspective, 
get the look and feel down,

66
00:04:52,958 --> 00:04:57,666
know the tools available within it,
different options, things you can do,

67
00:04:57,666 --> 00:05:01,119
troubleshoot with different types of protocols

68
00:05:01,119 --> 00:05:05,336
and what you can use within Wireshark 
to help you dissect that traffic

69
00:05:05,336 --> 00:05:12,730
to be able to look within it to see exactly 
where, where a problem may be.

70
00:05:12,730 --> 00:05:15,663
Again with Wireshark, it's just a tool.

71
00:05:15,663 --> 00:05:19,762
It can't take away from you,
 it's only an extension of you -

72
00:05:19,781 --> 00:05:22,641
and the more you know about networking,

73
00:05:22,651 --> 00:05:28,285
the more you know about protocols and traffic,
and analysis and networking,

74
00:05:28,307 --> 00:05:32,157
the better off you will be once 
you learn how to use Wireshark.

75
00:05:32,167 --> 00:05:37,765
So again, I appreciate your participation.
I thank you greatly for your time 

76
00:05:37,764 --> 00:05:42,796
and I look forward to working with you all in the future.

77
00:05:42,796 --> 00:05:49,419