Is there any way to write to an already written file in tshark? Instead of using -w do we have any other option to append packets to an existing pcap file? I know mergecap can be used to merge to capture files.But its hectic to merge 1000s of small files.
Thanks in advance
asked 16 Feb, 15:48
No, it's not possible to append to a capture file - once you stop the capture it is final. The only way around that (as you already mentioned) is mergecap. Recent versions of mergecap can be used with wildcards, e.g. when your small files are called "smallfile01.pcapng", "smallfile02.pcapng" etc.:
mergecap -a -w all.pcapng smallfile*.pcapng
answered 17 Feb, 00:32