Wireshark-users: Re: [Wireshark-users] Reading multiple files in tcpdump

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 3 Mar 2009 19:29:55 -0800

On Mar 3, 2009, at 7:01 PM, Rayne wrote:

I have multiple trace files all beginning with the prefix "trace1_" and I would like to read all these files, apply a filter on them and write the filtered packets into another pcap file.

I've tried both reading from trace1* and listing all the filenames after the -r option, but I keep getting syntax error.

That's because you can give only one argument to the "-r" flag (or any flag that takes an argument - and that's the case for most, if not all, command-line flags on UN*X).

Can I read multiple files in tcpdump

No.  tcpdump will read only one file.

I assume your goal is to combine all the packets from all the traces, and write out a subset of those packets, selected by a filter, to another file. If so, you could, as Stephen Fisher said, use mergecap to combine them into a file and then read the file with tcpdump and have it write the filtered packets to another file. It might also be possible to pipe mergecap's output to its standard output, and pipe it to a tcpdump that you've told to read from its standard input, and avoid the intermediate file.