Re: Aggregating PCAP files

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi,

I think you picked them right out... the known bugs. See the release
notes.

Thanks,
Jaap

On Thu, 20 May 2010 16:23:25 +0200, Nicolas Greneche
<nicolas.greneche () univ-orleans fr> wrote:
> Hi all,
>
> I use FreeBSD 8.0 64 bits. I record network traces on my network this 
> way with dumpcap :
>
> dumpcap -i bridge0 -w /store/pcap/fede/capture.pcap -b filesize:300000 
> -b files:1500
>
> Interface bridge0 is composed of em1 en em0 which are connected to a 
> Network TAP. It works well and I developped a small shell script that 
> select a subset of files given a time interval.
>
> I tried to send this subset of pcap files to a named pipe like this :
>
> cat fic1.pcap fic2.pcap ... > /my/named/pipe
>
> With a tshark on the named pipe :
>
> tshark -i /my/named/pipe -w /store/pcap/dns.pcap 'dst port 53'
>
> With a "filter capture" to get only DNS traffic in dns.pcap
> And when I re read this pcap like this :
>
> tshark -r /store/pcap/dns.pcap
>
> I got all the traffic (not only dns). I also tried with a "read filter"
:
> tshark -i /my/named/pipe -w /store/pcap/dns.pcap -R "udp.port==53"
>
> It is all the same in the resulting pcap. Did I missed something about 
> filter ?
>
> Thanks for your help,
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe