Wireshark-users: Re: [Wireshark-users] Aggregating PCAP files

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Thu, 20 May 2010 23:04:46 +0200
Hi,

I think you picked them right out... the known bugs. See the release
notes.

Thanks,
Jaap

On Thu, 20 May 2010 16:23:25 +0200, Nicolas Greneche
<nicolas.greneche@xxxxxxxxxxxxxxx> wrote:
> Hi all,
> 
> I use FreeBSD 8.0 64 bits. I record network traces on my network this 
> way with dumpcap :
> 
> dumpcap -i bridge0 -w /store/pcap/fede/capture.pcap -b filesize:300000 
> -b files:1500
> 
> Interface bridge0 is composed of em1 en em0 which are connected to a 
> Network TAP. It works well and I developped a small shell script that 
> select a subset of files given a time interval.
> 
> I tried to send this subset of pcap files to a named pipe like this :
> 
> cat fic1.pcap fic2.pcap ... > /my/named/pipe
> 
> With a tshark on the named pipe :
> 
> tshark -i /my/named/pipe -w /store/pcap/dns.pcap 'dst port 53'
> 
> With a "filter capture" to get only DNS traffic in dns.pcap
> And when I re read this pcap like this :
> 
> tshark -r /store/pcap/dns.pcap
> 
> I got all the traffic (not only dns). I also tried with a "read filter"
:
> 
> tshark -i /my/named/pipe -w /store/pcap/dns.pcap -R "udp.port==53"
> 
> It is all the same in the resulting pcap. Did I missed something about 
> filter ?
> 
> Thanks for your help,