Wireshark-dev: Re: [Wireshark-dev] Multiple input files

From: Evan Huus <eapache@xxxxxxxxx>
Date: Thu, 5 Sep 2013 09:30:04 -0400
On Thu, Sep 5, 2013 at 9:26 AM, Evan Huus <eapache@xxxxxxxxx> wrote:
On Thu, Sep 5, 2013 at 9:19 AM, Dario Lombardo <dario.lombardo.ml@xxxxxxxxx> wrote:
Hi list
I was trying to change the code of tshark to support multiple -r switches. The aim is to have many input files and one output file. Before getting mad in changing it, I was wondering if it makes sense or not, and if it was addressed before in some way.

An example of use of it:

tshark -r input1.pcap -r input2.pcap -r input3.pcap -Y "dns.qry.name contains google" -o google.pcap

Thanks for your suggestions.

Mergecap already does this, but can't filter. Still, it's easy enough to use mergecap to merge the files, and then filter it second (or filter them individually first, then merge the filtered files).

You can even (I think) pipe from mergecap to tshark as follows:

mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -Y "dns.qry.name contains google" -o google.pcap

And the correct command should actually be:

mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "dns.qry.name contains google" -o google.pcap