This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

using follow udp stream' in script to dealing thousands pcap files

0

Thanks. Maybe this is another question:

I wrote a script to deal with multiple files as follows:

#!/bin/bash
for file in 'datadir/*'
do
    tshark -r $file -R '(ip.addr eq 10.0.072 and ip.addr eq 10.0.1.102) and (udp.port eq 65505 and udp.port eq 4005)' -T fields -e data | tr -d '\n' > $file.raw

if only 1 file in the datadir, i got one output file, but it fails if the files in datadir more than one.

Here is the message from system: tshark: Read filters were specified both with "-R" and with additional command-line arguments

Have i done something wrong?

Thanks for any hint.

asked 13 Jul '17, 19:24

tree0520's gravatar image

tree0520
6223
accept rate: 0%

converted to question 13 Jul '17, 22:42

Jaap's gravatar image

Jaap ♦
11.7k16101

Your answer has been converted to a question as that's how this site works. Please read the FAQ for more information.

(13 Jul '17, 22:43) Jaap ♦

One Answer:

0

I guess your for loop is wrong: the file variable contains a list of all files.

Better run:

for file in `ls -1 datadir/*`

Furthermore, when calling tshark with '-R' you also have to use '-2' or use single-pass filtering with '-Y'

answered 14 Jul '17, 04:14

Uli's gravatar image

Uli
9031515
accept rate: 29%

Well, as for me, the correct syntax would be

for file in datadir/*

or

for file in $(ls datadir/*)
(14 Jul '17, 08:46) sindy