One may merge two IEEE 802.11 traces into one using the wipal-simple-merge command.
Use the -h option to have a description of the command's syntax. It takes two inputs and produce one output. When ran, the merging process starts by synchronizing precisely both inputs (see Synchronization). Then both traces are merged and special care is given not to re-order packets or account duplicate packets twice in the output (that is, packets that are present in both traces appear only once in the output).
This command expects PCAP traces with either Prism headers, AVS headers, Radiotap headers, raw IEEE 802.11 frames, or pseudo-Ethernet II frames as link type. The -p and -P options only work with Prism headers. The following timestamps are used, unless -y is provided:
tsft fields. The command will fail with
Radiotap headers that do not contain such fields,
mactime fields,
mactime fields.
e.g.:
wipal-simple-merge a.pcap b.pcap output.pcap
wipal-simple-merge -P -n foo-ath2.0:foo-ath2.1 bar-ath2 foo-bar-ath2
...
See Unique frames.
Since version 4.0, WiPal is able to merge traces with Ethernet II frames as link type. This is useful because some wireless traces use this link type. These traces only contain IP packets encapsulated into pseudo-Ethernet frames.
Since these traces contain no IEEE 802.11 MAC headers one cannot use the
usual attributes – that rely on these headers – to merge them.
Therefore, use the hsh_en2 attributes when merging Ethernet II
traces (see option -a). Using theses attributes tell WiPal
to decapsulate Ethernet frames and use the following frames as unique
frames:
Also note that machines recording PCAP traces while emitting packets generally record imprecise timestamps for emitted packets. In order to solve this issue, you might specify an IPv4 address for each trace (see Input syntax). Frames originating from this address in this specific trace will be ignored for synchronization.
Finally, remember that Ethernet traces only contain PCAP timestamps, and these timestamps are not as precise as PHY-level timestamps. You might want to use option -x to raise the expected precision above 106 microseconds.
wipal-simple-merge is only able to merge two traces. In order to merge more traces, one should run successive merges following a given sequence. For instance, merging traces A, B, and C might involve merging A and B into T first, and then merging T and C. The wipal-merge command selects a merging sequence and runs the corresponding merge operations in turn.
e.g.:
wipal-merge t1.pcap t2.pcap t3.pcap
wipal-merge -n -P t11.pcap:t12.pcap:t13.pcap t21.pcap:t22.pcap t3.pcap
There is no rule to determine which merging sequence will give the “best” results. We consider the two traces that are the most similar should be merged first. This to avoid generating anomalies due to a lack of reference frames (see Synchronization). In order to compute similarity between two traces A and B, WiPal count the number of reference frames it is able to extract from these traces, stopping when it reaches B's 250,000th unique frame (see Unique frames). Despite its issues, this technique has the advantage of being both simple to implement and fast (determining a merging sequence should not take more time than actually merging the traces).
wipal-merge computes its merging sequence as follows. Note that it is designed to be fast rather than to yield an optimal sequence.
One may compute the similarity between multiple traces using the wipal-similarity command. The output is sorted by ascending order of similarity. e.g.:
wipal-similarity t1.pcap t2.pcap
wipal-similarity -P t1.pcap t2.pcap t3.pcap t4.pcap