Wireshark · Wireshark-users: Re: [Wireshark-users] Capture filter when capturing from std-in not working

Wireshark-users: Re: [Wireshark-users] Capture filter when capturing from std-in not working

From: Sake Blok <sake@xxxxxxxxxx>

Date: Sun, 21 Sep 2008 20:30:23 +0200

On Sun, Sep 21, 2008 at 10:27:43AM -0700, Jim Balo wrote:
>                                                                               
>    The above is just a simple test.  What I really need to do is to merge a   
>    bunch of big pcap files + apply a filter + write the result to new pcap    
>    file.  I tried this:                                                       
>                                                                               
>    mergecap -w - snort.log.1221* | tshark -i - -w /test_0918.pcap -f "host    
>    10.10.2.4"                                                                 

I would try somthing like:

for file in `ls -1 snort.log.1221*`
do
  echo $file
  tshark -r $file -w tmp-$file -R "ip.addr==10.10.2.4"
done
mergecap -w test_0918.pcap tmp-snort.log.1221*
rm -f tmp-snort.log.1221*


Cheers,
    Sake

Follow-Ups:
- Re: [Wireshark-users] Capture filter when capturing from std-in not working
  - From: Jim Balo

References:
- [Wireshark-users] Capture filter when capturing from std-in not working
  - From: Jim Balo

Prev by Date: [Wireshark-users] Capture filter when capturing from std-in not working
Next by Date: [Wireshark-users] Sniffing on localhost UDP traffic
Previous by thread: [Wireshark-users] Capture filter when capturing from std-in not working
Next by thread: Re: [Wireshark-users] Capture filter when capturing from std-in not working
Index(es):
- Date
- Thread