On Thu, Sep 5, 2013 at 9:26 AM, Evan Huus <[email protected]> wrote: > On Thu, Sep 5, 2013 at 9:19 AM, Dario Lombardo < > [email protected]> wrote: > >> Hi list >> I was trying to change the code of tshark to support multiple -r >> switches. The aim is to have many input files and one output file. Before >> getting mad in changing it, I was wondering if it makes sense or not, and >> if it was addressed before in some way. >> >> An example of use of it: >> >> tshark -r input1.pcap -r input2.pcap -r input3.pcap -Y "dns.qry.name contains >> google" -o google.pcap >> >> Thanks for your suggestions. >> > > Mergecap already does this, but can't filter. Still, it's easy enough to > use mergecap to merge the files, and then filter it second (or filter them > individually first, then merge the filtered files). > > You can even (I think) pipe from mergecap to tshark as follows: > > mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -Y "dns.qry.name contains > google" -o google.pcap >
And the correct command should actually be: mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "dns.qry.name contains google" -o google.pcap
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
