This is our old Q&A Site. Please post any new questions and answers at

Is there a mechanism where multiple files can be searched for a particular parameter?

When capturing large amounts of data or there is an intermittent issue and you are collecting the capture off in a ring buffer. The problem is when the event, lets say a SIP call overlaps 20 files, pulling all the SIP and RTP out of the various files is very time consuming.

asked 12 Aug '11, 13:31

dpackboy's gravatar image

accept rate: 0%

edited 12 Aug '11, 17:59

helloworld's gravatar image


I'd use a batch file and tshark to do this. You can use the parameters "-r" to read a file, "-R" to apply any display filter you'd manually use, and "-w" to write the resulting frames back to a new trace, for example:

tshark -r "sample.pcap" -R "ftp or ftp-data" -w "just-ftp.pcap"

That way my resulting trace file named "just-ftp.pcap" will only have packets that contain FTP or FTP data flows. You can run that kind of command on any number of files in a loop or by single commands batched together.

Afterwards you might use mergecap to merge your resulting fragments together into one single pcap file.

tshark and mergecap are command line tools installed together with Wireshark, so it is most likely you already have them on your computer.

permanent link

answered 12 Aug '11, 16:58

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 12 Aug '11, 13:31

question was seen: 8,645 times

last updated: 12 Aug '11, 17:59

p​o​w​e​r​e​d by O​S​Q​A