Wireshark-dev: Re: [Wireshark-dev] Multiple input files

Date: Thu, 5 Sep 2013 18:08:01 +0200
Title: Re: [Wireshark-dev] Multiple input files
Hi Dario,

Thursday, September 5, 2013, 3:54:51 PM, you wrote:


On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus <eapache@xxxxxxxxx> wrote:

mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "
dns.qry.name contains google" -o google.pcap 
mergecap would be certainly an option, if the merged file is not too big to be given to tshark. 
I have 10 file, 1G each. If I merge them, the resulting 10G file is too big for tshark. I'd need to run tshark on every 1G file, then merge the output, not the inverse.

Another option could be to add the opportunity to append tshark output to an existing pcap file (this is not supported now, is it?).
You could use a batch script to do what you want, like

       for %%a IN (*.pcap) DO tshark.exe -r "%%a" -R "dns.qry.name contains google" -w "filtered_%%a"
       mergecap -a -w all-google-queries.pcap filtered*.pcap

Cheers,
Jasper