Is it possible to apply a read filter on a .pcap file using tshark based on the interface?

Question

Can I do something like :

tshark -r filename.pcap -R -i wan0 ?

Where filename.pcap is the packet capture file being analysed and wan0 is the interface for which I need to apply the filter?

Answer 1

The normal pcap format as used by tcpdump does not contain information about the interface name where a packet was captured. The pcapng format as used by tshark or wireshark by default does have this information. With pcapng one could apply a display filter like this:

tshark -r file.pcapng -Y 'frame.interface_name == "wan0"'

Of course, this makes only sense if the pcapng file contains packets captured on multiple interfaces. Otherwise this filter would just result in no packets or all packets. Specifically it will not help to capture on the any pseudo-interface since the pcapng will not contain the names of the various interfaces on the system but just show all packets captured on the single any pseudo-interface.