Wireshark · Wireshark-users: Re: [Wireshark-users] Capture filter when capturing from std-in not working

Wireshark-users: Re: [Wireshark-users] Capture filter when capturing from std-in not working

From: Jim Balo <jimbalo22@xxxxxxxxx>

Date: Sun, 21 Sep 2008 19:48:15 -0700 (PDT)

On Sun, Sep 21, 2008 at 10:27:43AM -0700, Jim Balo wrote:
>                                                                           
>    The above is just a simple test.  What I really need to do is to merge a   
>    bunch of big pcap files + apply a filter + write the result to new pcap
>    file.  I tried this:                                                   
>   
>    mergecap -w - snort.log.1221* | tshark -i - -w /test_0918.pcap -f "host    
>    10.10.2.4"                                                        

I would try somthing like:

for file in `ls -1 snort.log.1221*`
do
  echo $file
  tshark -r $file -w tmp-$file -R "ip.addr==10.10.2.4"
done
mergecap -w test_0918.pcap tmp-snort.log.1221*
rm -f tmp-snort.log.1221*

Thanks, Sake - that works great. 
 
Out of curiosity:  Was there something wrong with the way I did it, or is this a bug in TShark?
 
Thanks again,
JB

References:
- Re: [Wireshark-users] Capture filter when capturing from std-in not working
  - From: Sake Blok

Prev by Date: [Wireshark-users] Multiple BGP messages in a frame, and BGP messages spanning multiple framesm
Next by Date: Re: [Wireshark-users] Wireshark 1.0.3 on OS X 10.5.5 SSL decryption
Previous by thread: Re: [Wireshark-users] Capture filter when capturing from std-in not working
Next by thread: [Wireshark-users] Sniffing on localhost UDP traffic
Index(es):
- Date
- Thread