On Fri, Sep 6, 2013 at 9:50 PM, Christopher Maynard
christopher.mayn...@gtech.com wrote:
Two problems:
1) How do you guarantee the files will be processed in correct time order
for appending?
I can't. If the user needs it, they can run reordercap.
2) mergecap today doesn't support
Another option could be to support stdin as input file in mergecap with an
append switch. If mergecap whould support something like this
cat input1.pcap | mergecap -a - -w output.pcap
cat input2.pcap | mergecap -a - -w output.pcap
this would allow a user to do something like
for file in *.pcap
Dario Lombardo dario.lombardo.ml@... writes:
for file in *.pcap
do
tshark -r $file -Y FILTER -w - | mergecap -a - -w output.pcap
done
what about that?
Two problems:
1) How do you guarantee the files will be processed in correct time order
for appending?
2) mergecap today doesn't
Hi list
I was trying to change the code of tshark to support multiple -r switches.
The aim is to have many input files and one output file. Before getting mad
in changing it, I was wondering if it makes sense or not, and if it was
addressed before in some way.
An example of use of it:
tshark -r
On Thu, Sep 5, 2013 at 9:19 AM, Dario Lombardo
dario.lombardo...@gmail.comwrote:
Hi list
I was trying to change the code of tshark to support multiple -r switches.
The aim is to have many input files and one output file. Before getting mad
in changing it, I was wondering if it makes sense or
Dario Lombardo dario.lombardo.ml@... writes:
Hi listI was trying to change the code of tshark to support multiple -r
switches. The aim is to have many input files and one output file. Before
getting mad in changing it, I was wondering if it makes sense or not, and if
it was addressed before in
On Thu, Sep 5, 2013 at 9:26 AM, Evan Huus eapa...@gmail.com wrote:
On Thu, Sep 5, 2013 at 9:19 AM, Dario Lombardo
dario.lombardo...@gmail.com wrote:
Hi list
I was trying to change the code of tshark to support multiple -r
switches. The aim is to have many input files and one output file.
Evan Huus eapache@... writes:
You can even (I think) pipe from mergecap to tshark as follows:
mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -Y
dns.qry.name contains google -o google.pcap
Just a slight correction on the tshark command-line options needed (note the
-i -):
mergecap -w -
On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus eapa...@gmail.com wrote:
mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y dns.qry.name
contains
google -o google.pcap
mergecap would be certainly an option, if the merged file is not too big to
be given to tshark.
I have 10 file, 1G each.
Title: Re: [Wireshark-dev] Multiple input files
Hi Dario,
Thursday, September 5, 2013, 3:54:51 PM, you wrote:
On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus eapa...@gmail.com wrote:
mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "dns.qry.namecontains google" -o google.pca
jasper.sharklists@... writes:
You could use a batch script to do what you want, like
for %%a IN (*.pcap) DO tshark.exe -r %%a -R dns.qry.name
contains google -w filtered_%%a
mergecap -a -w all-google-queries.pcap filtered*.pcap
Great idea Jasper! I was thinking the same
11 matches
Mail list logo
