On Thu, Sep 5, 2013 at 9:19 AM, Dario Lombardo <[email protected]>wrote:
> Hi list > I was trying to change the code of tshark to support multiple -r switches. > The aim is to have many input files and one output file. Before getting mad > in changing it, I was wondering if it makes sense or not, and if it was > addressed before in some way. > > An example of use of it: > > tshark -r input1.pcap -r input2.pcap -r input3.pcap -Y "dns.qry.name contains > google" -o google.pcap > > Thanks for your suggestions. > Mergecap already does this, but can't filter. Still, it's easy enough to use mergecap to merge the files, and then filter it second (or filter them individually first, then merge the filtered files). You can even (I think) pipe from mergecap to tshark as follows: mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -Y "dns.qry.name contains google" -o google.pcap
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
