<jasper.sharklists@...> writes:
> You could use a batch script to do what you want, like
> for %%a IN (*.pcap) DO tshark.exe -r "%%a" -R "dns.qry.name
contains google" -w "filtered_%%a"
> mergecap -a -w all-google-queries.pcap filtered*.pcap
Great idea Jasper! I was thinking the same thing, only that it might be
nicer if mergecap supported reading from stdin, so that you could then have
a script along the lines of the following to avoid creating so many
temporary files. I don't know which method would be more efficient though -
i.e., merge 1 file at a time or merge them all together at the end.
#!/bin/sh
if (( ${#} < 3 ))
then
echo "Usage: $0 <directory> <filter> <outfile>"
exit 0
fi
tmpfile=__tmp.pcap
filter=$2
outfile=$3
rm -f $tmpfile
touch $tmpfile
for file in `ls -1 $1`
do
wireshark-gtk2/tshark.exe -r $1/$file -Y "$filter" -F libpcap -w - |
wireshark-gtk2/mergecap.exe -w $outfile - $tmpfile
cp -f $outfile $tmpfile
done
rm -f $tmpfile
echo "Done merging files in $1/ to $outfile"