Wireshark · Wireshark-dev: Re: [Wireshark-dev] Multiple input files

[Christopher Maynard <Christopher.Maynard@xxxxxxxxx>]

 <jasper.sharklists@...> writes:

> You could use a batch script to do what you want, like
>         for %%a IN (*.pcap) DO tshark.exe -r "%%a" -R "dns.qry.name
contains google" -w "filtered_%%a"
>         mergecap -a -w all-google-queries.pcap filtered*.pcap

Great idea Jasper!  I was thinking the same thing, only that it might be
nicer if mergecap supported reading from stdin, so that you could then have
a script along the lines of the following to avoid creating so many
temporary files.  I don't know which method would be more efficient though -
i.e., merge 1 file at a time or merge them all together at the end.

#!/bin/sh

if (( ${#} < 3 ))
then
        echo "Usage: $0 <directory> <filter> <outfile>"
        exit 0
fi

tmpfile=__tmp.pcap
filter=$2
outfile=$3

rm -f $tmpfile
touch $tmpfile
for file in `ls -1 $1`
do
        wireshark-gtk2/tshark.exe -r $1/$file -Y "$filter" -F libpcap -w - |
wireshark-gtk2/mergecap.exe -w $outfile - $tmpfile
        cp -f $outfile $tmpfile
done
rm -f $tmpfile
echo "Done merging files in $1/ to $outfile"