Thursday, September 5, 2013, 3:54:51 PM, you wrote:
| On Thu, Sep 5, 2013 at 3:30 PM, Evan Huus <[email protected]> wrote: mergecap -w - in1.pcap in2.pcap in3.pcap | tshark -i - -Y "dns.qry.name contains google" -o google.pcap mergecap would be certainly an option, if the merged file is not too big to be given to tshark. I have 10 file, 1G each. If I merge them, the resulting 10G file is too big for tshark. I'd need to run tshark on every 1G file, then merge the output, not the inverse. Another option could be to add the opportunity to append tshark output to an existing pcap file (this is not supported now, is it?). |
for %%a IN (*.pcap) DO tshark.exe -r "%%a" -R "dns.qry.name contains google" -w "filtered_%%a"
mergecap -a -w all-google-queries.pcap filtered*.pcap
Cheers,
Jasper
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
