Wireshark mailing list archives

Re: Multiple input files

From: Dario Lombardo <dario.lombardo.ml () gmail com>
Date: Thu, 5 Sep 2013 15:54:51 +0200

On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus <eapache () gmail com> wrote:


mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "dns.qry.name contains
google" -o google.pcap


mergecap would be certainly an option, if the merged file is not too big to
be given to tshark.
I have 10 file, 1G each. If I merge them, the resulting 10G file is too big
for tshark. I'd need to run tshark on every 1G file, then merge the output,
not the inverse.

Another option could be to add the opportunity to append tshark output to
an existing pcap file (this is not supported now, is it?).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Multiple input files Dario Lombardo (Sep 05)
- Re: Multiple input files Evan Huus (Sep 05)
  - Re: Multiple input files Evan Huus (Sep 05)
    - Re: Multiple input files Dario Lombardo (Sep 05)
    - Re: Multiple input files jasper . sharklists (Sep 05)
    - Re: Multiple input files Christopher Maynard (Sep 05)
  - Re: Multiple input files Christopher Maynard (Sep 05)
    - Re: Multiple input files Dario Lombardo (Sep 06)
    - Re: Multiple input files Christopher Maynard (Sep 06)
    - Re: Multiple input files Dario Lombardo (Sep 10)
- Re: Multiple input files Christopher Maynard (Sep 05)