Hi,
Could someone explain to me why the capture filter does not take effect when doing this:
cat snort.log.1221770409 | tshark -i - -f "host 10.10.2.4"
tshark shows all packages - not only those for host 10.10.2.4.
The above is just a simple test. What I really need to do is to merge a bunch of big pcap files + apply a filter + write the result to new pcap file. I tried this:
mergecap -w - snort.log.1221* | tshark -i - -w /test_0918.pcap -f "host 10.10.2.4"
But the filter did not work, so the output file hit the 2.1 GB limit, crashed and burned.
Any help would be great!
Thanks,
JB
|