Re: Multiple input files

[Evan Huus <eapache () gmail com>]

On Thu, Sep 5, 2013 at 9:26 AM, Evan Huus <eapache () gmail com> wrote:

> On Thu, Sep 5, 2013 at 9:19 AM, Dario Lombardo <
> dario.lombardo.ml () gmail com> wrote:
>
> > Hi list
> > I was trying to change the code of tshark to support multiple -r
> > switches. The aim is to have many input files and one output file. Before
> > getting mad in changing it, I was wondering if it makes sense or not, and
> > if it was addressed before in some way.
> >
> > An example of use of it:
> >
> > tshark -r input1.pcap -r input2.pcap -r input3.pcap -Y "dns.qry.name contains
> > google" -o google.pcap
> >
> > Thanks for your suggestions.
>
> Mergecap already does this, but can't filter. Still, it's easy enough to
> use mergecap to merge the files, and then filter it second (or filter them
> individually first, then merge the filtered files).
>
> You can even (I think) pipe from mergecap to tshark as follows:
>
> mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -Y "dns.qry.name contains
> google" -o google.pcap

And the correct command should actually be:

mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y
"dns.qry.name contains
google" -o google.pcap

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe