Wireshark-users: Re: [Wireshark-users] Can Tshark read directories

From: Sake Blok <sake@xxxxxxxxxx>
Date: Thu, 3 Jun 2010 19:12:02 +0200
On 3 jun 2010, at 18:17, mark-wade@xxxxxxxxxxx wrote:

> I have attempted to no avail to get my tshark command to read a directory of captured .pcap files.  There is no info in the man pages regarding the "-r" on reading directories of captured files.
>  
> I am currently trying the following command within a directory of several files ending in .pcap
>  
> #tshark -r *.pcap* -R "!(tcp.port eq 25)" -w outputfile

No such functionality exist today in tshark (it's a one-file-only-kinda-guy). The way I do what you want is:

mkdir tmp
for file in $(ls -1 *.pcap)
do
   tshark -r $file -w tmp/$file -R "!tcp.port==25)"
done
mergecap -w out.cap tmp/*
rm -rf tmp

Of course this can be optimized by saving this in a script which would do some error-checking to, etc.

Cheers,

Sake