[Dario Lombardo <dario.lombardo.ml@xxxxxxxxx>]

On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus <eapache@xxxxxxxxx> wrote:

mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "dns.qry.name contains google" -o google.pcap

mergecap would be certainly an option, if the merged file is not too big to be given to tshark. 

I have 10 file, 1G each. If I merge them, the resulting 10G file is too big for tshark. I'd need to run tshark on every 1G file, then merge the output, not the inverse.

Another option could be to add the opportunity to append tshark output to an existing pcap file (this is not supported now, is it?).