Is there a field name for pcap filename?
I'm using a program that executes tshark to collect a series of fields from a large collection of pcap files. So internally it fires up tshark for each pcap file in turn.
Outputting the fields from the pcap is fine - I'm using the "-e" option to specify each of the fields names I need. Most of the time that is just fine, but I have a use-case where I also need to know the name of the pcap where there field data came from.
Is there a field name that corresponds to the pcap filename? Checked the fields reference here, but don't see anything.
If it doesn't exist I can change the program to get it to output the filename.
Comments
Question: When you run tshark on a file, you already know the file name, so why would you need having it in a field?
The problem is I'm not running against a single pcap file. This is all happening within a program that invokes tshark against each pcap in turn. The tshark output doesn't show which file the data came from.
I have a script that indexes all my pcaps to extract fields and the script prepends the filename to the fields. So maybe you can do something similar in your setup? Have the output of tshark post-processed to include the filename there where you need it. If this does not work for you, could you please tell me more about what you are trying to accomplish?
Updated question to add more detail