Wireshark-users: Re: [Wireshark-users] Can Tshark read directories
From: Ian Schorr <ian.schorr@xxxxxxxxx>
Date: Mon, 7 Jun 2010 12:46:01 +1000
Or, mergecap the "source" files first and avoid the scripted loop
altogether (mergecap is NOT a one-file sort of guy).  Obviously this
has the disadvantage of potentially taking up much more room, at least
temporarily.

On Fri, Jun 4, 2010 at 3:12 AM, Sake Blok <sake@xxxxxxxxxx> wrote:
> On 3 jun 2010, at 18:17, mark-wade@xxxxxxxxxxx wrote:
>
>> I have attempted to no avail to get my tshark command to read a directory of captured .pcap files.  There is no info in the man pages regarding the "-r" on reading directories of captured files.
>>
>> I am currently trying the following command within a directory of several files ending in .pcap
>>
>> #tshark -r *.pcap* -R "!(tcp.port eq 25)" -w outputfile
>
> No such functionality exist today in tshark (it's a one-file-only-kinda-guy). The way I do what you want is:
>
> mkdir tmp
> for file in $(ls -1 *.pcap)
> do
>   tshark -r $file -w tmp/$file -R "!tcp.port==25)"
> done
> mergecap -w out.cap tmp/*
> rm -rf tmp
>
> Of course this can be optimized by saving this in a script which would do some error-checking to, etc.
>
> Cheers,
>
> Sake