Aggregating PCAP files

[Nicolas Greneche <nicolas.greneche () univ-orleans fr>]

Hi all,

I use FreeBSD 8.0 64 bits. I record network traces on my network this 
way with dumpcap :

dumpcap -i bridge0 -w /store/pcap/fede/capture.pcap -b filesize:300000 
-b files:1500

Interface bridge0 is composed of em1 en em0 which are connected to a 
Network TAP. It works well and I developped a small shell script that 
select a subset of files given a time interval.

I tried to send this subset of pcap files to a named pipe like this :

cat fic1.pcap fic2.pcap ... > /my/named/pipe

With a tshark on the named pipe :

tshark -i /my/named/pipe -w /store/pcap/dns.pcap 'dst port 53'

With a "filter capture" to get only DNS traffic in dns.pcap
And when I re read this pcap like this :

tshark -r /store/pcap/dns.pcap

I got all the traffic (not only dns). I also tried with a "read filter" :

tshark -i /my/named/pipe -w /store/pcap/dns.pcap -R "udp.port==53"

It is all the same in the resulting pcap. Did I missed something about 
filter ?

Thanks for your help,

-- 
Nicolas Greneche -  RSSI et Sysadmin
Centre de Ressources Informatiques (CRI)
Doctorant au sein du projet SDS - www.sds-project.fr
Mail : nicolas.greneche_(at)_univ-orleans.fr
GPG  : http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5FEBD0EF

Universite d'Orleans            Web  : http://blog.garnett.fr
Batiment 3IA - 2e etage         Tel  : 02 38 49 25 26
6 rue Leonard de Vinci
BP 6102 45061 ORLEANS Cedex 2
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe