Re: Can Tshark read directories

[Ian Schorr <ian.schorr () gmail com>]

Or, mergecap the "source" files first and avoid the scripted loop
altogether (mergecap is NOT a one-file sort of guy).  Obviously this
has the disadvantage of potentially taking up much more room, at least
temporarily.

On Fri, Jun 4, 2010 at 3:12 AM, Sake Blok <sake () euronet nl> wrote:
> On 3 jun 2010, at 18:17, mark-wade () comcast net wrote:
>
> > I have attempted to no avail to get my tshark command to read a directory of captured .pcap files.  There is no info 
> > in the man pages regarding the "-r" on reading directories of captured files.
> >
> > I am currently trying the following command within a directory of several files ending in .pcap
> >
> > #tshark -r *.pcap* -R "!(tcp.port eq 25)" -w outputfile
>
> No such functionality exist today in tshark (it's a one-file-only-kinda-guy). The way I do what you want is:
>
> mkdir tmp
> for file in $(ls -1 *.pcap)
> do
>   tshark -r $file -w tmp/$file -R "!tcp.port==25)"
> done
> mergecap -w out.cap tmp/*
> rm -rf tmp
>
> Of course this can be optimized by saving this in a script which would do some error-checking to, etc.
>
> Cheers,
>
> Sake
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe