On Mar 3, 2009, at 7:01 PM, Rayne wrote:
I have multiple trace files all beginning with the prefix "trace1_"
and I would like to read all these files, apply a filter on them and
write the filtered packets into another pcap file.
I've tried both reading from trace1* and listing all the filenames
after the -r option, but I keep getting syntax error.
That's because you can give only one argument to the "-r" flag (or any
flag that takes an argument - and that's the case for most, if not
all, command-line flags on UN*X).
Can I read multiple files in tcpdump
No. tcpdump will read only one file.
I assume your goal is to combine all the packets from all the traces,
and write out a subset of those packets, selected by a filter, to
another file. If so, you could, as Stephen Fisher said, use mergecap
to combine them into a file and then read the file with tcpdump and
have it write the filtered packets to another file. It might also be
possible to pipe mergecap's output to its standard output, and pipe it
to a tcpdump that you've told to read from its standard input, and
avoid the intermediate file.