On Thu, Aug 14, 2008 at 05:11:22PM +0200, K Bertens wrote:
> I would like tshark to extract all http data from a couple of capture
> files.
>
> I tried:
> tshark -r *.* -w /path/to/save/file -R "http"
>
> But get the error "Read filters were specified both with "-R" and with
> additional command-line arguments"
Tshark can read only one file at a time, so if "*.*" matches multiple
files, the first filename is used as the input file, the other filenames
are used as extra command line options (which default to read filter).
> Is there another solution to do this?
You would have to write a loop that walks through all your files and
saves the data to temporary files. Then you need to merge the temporary
files with mergecap. It will look something like this in bash:
for file in `ls -1 *cap`
do
tshark -r $file -w tmp-$file -R "http"
done
mergecap -w http.cap tmp-*
rm -f tmp-*
Hope this helps,
Cheers,
Sake
