Is there a mechanism where multiple files can be searched for a particular parameter? When capturing large amounts of data or there is an intermittent issue and you are collecting the capture off in a ring buffer. The problem is when the event, lets say a SIP call overlaps 20 files, pulling all the SIP and RTP out of the various files is very time consuming. asked 12 Aug '11, 13:31  dpackboy edited 12 Aug '11, 17:59  helloworld |
One Answer:
I'd use a batch file and tshark to do this. You can use the parameters "-r" to read a file, "-R" to apply any display filter you'd manually use, and "-w" to write the resulting frames back to a new trace, for example:
That way my resulting trace file named "just-ftp.pcap" will only have packets that contain FTP or FTP data flows. You can run that kind of command on any number of files in a loop or by single commands batched together. Afterwards you might use mergecap to merge your resulting fragments together into one single pcap file. tshark and mergecap are command line tools installed together with Wireshark, so it is most likely you already have them on your computer. answered 12 Aug '11, 16:58  Jasper ♦♦ |
