I am dealing with a large number of pcap files from numerous collection sources. I need to programmatically filter and I am using tshark for that, so I am merging all the files together first using mergecap. The problem with that is I also need collection point information which is only available in the capture file name. I tried using editpcap to add in per-packet comments specifying original file however that is untenable (see below for explanation). Any ideas how to track the original file after pcap files merged?
why editcap solution won't work I considered using editcap to add per-packet comments on every packet before merging (How to add a comment to all packets in numerous pcap files before merging into a single file) however the problem with this approach is that editcap requires every packet comment to be individually specified on the command line (you can't specify a range of packets). Thats hundreds of thousands of comments and the command line won't support that. Additionally, if I try to run editpcap with just a few comments at a time over and over it rewrites the entire file every time, leading to thousands of file rewrites. Also not viable.
