This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to filter out packets using tshark on multiple pcap or cap files?

0

Hi, Is there a way to filter out packets using tshark on multiple pcap or cap files.

I have tried with different variations but it has not worked, it only works when I explicitly specify the full file name.

example: This will not work
tshark -r 201410100*.cap -R "diameter.Session-Id == \"what ever\"" -Tfields -E separator='|' -e frame.time

Thanks, Sunil

asked 16 Oct '14, 14:49

Sunny's gravatar image

Sunny
11112
accept rate: 0%


2 Answers:

0

TShark doesn't support reading multiple capture files, so you can't run a single instance of TShark on multiple files. You'd have to run TShark separately once per file, or merge the captures into a single capture file using mergecap and run TShark on the merged file.

answered 16 Oct '14, 15:04

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

for file in *.pcap;do echo "$file";tshark -n -r "$file" http.host == "keyword:443";done

answered 07 Jan '15, 22:32

bnx2's gravatar image

bnx2
111
accept rate: 0%