tcpdump or tshark interfaces output in different files for different interfaces

Question

I want to capture few network interfaces traffic and save output in files. I can capture and redirect one interface packets in one file, but can't capture few interfaces and save output to separate files for separate network interfaces. For example tshark -i eth0 >> eth0.log works and it saves packets, but when I try for example - tshark -i eth0 >> eth0.log -i eth1 >> eth1.log it saves all packets from both interfaces in one file - eth1.log. Same happens with tcpdump. How can I solve this problem? Save captured packets for different interfaces to different files.

tshark -i eth0 >> eth0.log -i eth1 >> eth1.log and it saves just in eth1.log

Answer 1

You can either run two separate instances of tshark, as in:

tshark -i eth0 > eth0.log
tshark -i eth1 > eth1.log

Or if you want to only run a single instance, then you can write all packets from both interfaces to a single pcapng file and post-process the file to separate the output by interface. For example:

tshark -i eth0 -i eth1 -w eth0_and_eth1.pcapng

... some time later when capturing is completed...

tshark -r eth0_and_eth1.pcapng -Y 'frame.interface_name == "eth0"' > eth0.log
tshark -r eth0_and_eth1.pcapng -Y 'frame.interface_name == "eth1"' > eth1.log