Wireshark-dev: Re: [Wireshark-dev] Multiple input files

From: Christopher Maynard <Christopher.Maynard@xxxxxxxxx>
Date: Fri, 6 Sep 2013 19:50:20 +0000 (UTC)
Dario Lombardo <dario.lombardo.ml@...> writes:

> for file in *.pcap
> do
>   tshark -r $file -Y "FILTER" -w - | mergecap -a - -w output.pcap
> done
> 
> what about that?

Two problems:
1) How do you guarantee the files will be processed in correct time order
for appending?

2) mergecap today doesn't support reading from stdin.

I think Jasper's solution is the way to go for now (less the -a option due
to #1 above).

Even my earlier proposed script isn't as useful as it could be.  What might
make it more useful (potentially) is if in addition to supporting reading
from stdin, mergecap also supported reading from and writing to the same
file, as that would completely avoid the tmp file(s) altogether, i.e.:

#!/bin/sh

if (( ${#} < 3 ))
then
        echo "Usage: $0 <directory> <filter> <outfile>"
        exit 0
fi

filter=$2
outfile=$3

rm -f $outfile
touch $outfile
for file in `ls -1 $1`
do
        wireshark-gtk2/tshark.exe -r $1/$file -Y "$filter" -F libpcap -w - |
wireshark-gtk2/mergecap.exe -w $outfile - $outfile
done

echo "Done merging files in $1/ to $outfile"