Wireshark-users: Re: [Wireshark-users] Reading multiple files in tcpdump

From: Alex Lindberg <alindber@xxxxxxxxx>
Date: Wed, 4 Mar 2009 14:49:11 -0800 (PST)
Here is a Linux script I use for this very purpose.  As an example, if you wish to see all packets on udp.port == 1719 and save the output to a file UDP1719.cap then do:

MergePackets.sh "MyFiles*" "udp.port == 1719" UDP1719.cap

~/bin$ cat MergePackets.sh
#!/bin/sh

if [ "$2x" = "x" ];
        then
        echo "$0 <Path> <DisplayFilter> [<OutputFile>]"
        echo " "
        echo "The purpose of this script is to take all capture files in a directory"
        echo "and create a  single file that is filtered based on the input string."
        echo " "
        echo "This string could be an IP address, \"ip.addr == 1.1.1.1\""
        echo "or a port nunmber \"tcp.port == 1720\", etc."
        echo " "
        echo "The input must be in a display filter format."
        echo " "
        echo "If you are using a wildcard in the <Path>, please inclose with \" \" marks"
        echo " "
        echo "If OutputFile is not specified, the output will be to stdout"
        echo " "
        echo "********************** NOTICE ******************************"
        echo "This script will run under LINUX only:"
        echo "With proper changes this script could run on a windows PC."
        echo "If you do so, do with care!!!"
        exit 1
fi

# Wireshark or Ethereal
SHARK=tshark
#SHARK=tethereal

# Create file list
FILELIST=`ls $1`
TEMPDIR=/tmp/foobar
mkdir $TEMPDIR
i=1
for I in $FILELIST;
        do
        echo "$i $I $2"
        $SHARK -r $I -w $TEMPDIR/~$I-$i -R "$2" &>/dev/null
        i=`echo $i+1|bc`
        done

if [ "$3x" = "x" ];
        then
        # if here use stdout
        OUTFILE="-"
        else
        OUTFILE=$3
        fi

mergecap -w $OUTFILE $TEMPDIR/~*
rm -r $TEMPDIR

Enjoy.  Your mileage may very.
Alex Lindberg

--- On Tue, 3/3/09, Guy Harris <guy@xxxxxxxxxxxx> wrote:
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Reading multiple files in tcpdump
To: hjazz6@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Tuesday, March 3, 2009, 9:29 PM

On Mar 3, 2009, at 7:01 PM, Rayne wrote:

> I have multiple trace files all beginning with the prefix
"trace1_"
> and I would like to read all these files, apply a filter on them and
> write the filtered packets into another pcap file.
>
> I've tried both reading from trace1* and listing all the filenames
> after the -r option, but I keep getting syntax error.

That's because you can give only one argument to the "-r" flag
(or any
flag that takes an argument - and that's the case for most, if not
all, command-line flags on UN*X).

> Can I read multiple files in tcpdump

No. tcpdump will read only one file.

I assume your goal is to combine all the packets from all the traces,
and write out a subset of those packets, selected by a filter, to
another file. If so, you could, as Stephen Fisher said, use mergecap
to combine them into a file and then read the file with tcpdump and
have it write the filtered packets to another file. It might also be
possible to pipe mergecap's output to its standard output, and pipe it
to a tcpdump that you've told to read from its standard input, and
avoid the intermediate file.
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe