Capture multiple interfaces with tshark, hit ctrl-c and display resulting pcap files with wireshark.

tcap

#!/bin/bash

INTERFACES="enp3s0 enp4s0 brmn001"

TS="`date +%Y%m%dT%H%M%S`"

trap interrupted_tshark SIGINT SIGTERM

PIDS=""
PCAPFILES=""

function interrupted_tshark
{
  echo "!!!!!!!!!!!!!!!!!!"
  for i in ${PIDS}; do
    echo "Killing tshark PID ${i}"
    kill ${i}
  done
  for i in ${PIDS}; do
    echo "Waiting for tshark PID ${i}"
    wait ${i}
  done
  PIDS=""
  for i in ${PCAPFILES}; do
    echo "Starting WireShark for file ${i}"
    wireshark ${i} > /dev/null 2>&1 &
    PID=$!
    if [ "xx${PIDS}yy" == "xxyy" ]; then
      PIDS=${PID}
    else
      PIDS="${PIDS} ${PID}"
    fi
  done
  echo "Press Ctrl-C to kill all wiresharks: ${PIDS}..."
  trap interrupted_wireshark SIGINT SIGTERM
  wait ${PIDS}
  for i in ${PIDS}; do
    echo "Killing Wireshark PID ${i}"
    kill ${i}
  done
  exit 0
}

function interrupted_wireshark
{
  echo "!!!!!!!!!!!!!!!!!!"
  echo "INTERRUPTED: Killing WIRESHARKs ${PIDS}"
}

for i in ${INTERFACES}; do
  PCAPFILE="${TS}_${i}.pcap"
  tshark -i ${i} -w ${PCAPFILE} &
  PID=$!
  echo "${i}: Capturing to ${PCAPFILE} (${PID})"
  if [ "xx${PIDS}yy" == "xxyy" ]; then
    PIDS=${PID}
  else
    PIDS="${PIDS} ${PID}"
  fi
  if [ "xx${PCAPFILES}yy" == "xxyy" ]; then
    PCAPFILES=${PCAPFILE}
  else
    PCAPFILES="${PCAPFILES} ${PCAPFILE}"
  fi
done

echo "Press Ctrl-C to kill all tsharks and start WireSharks..."
wait ${PIDS}

• The first Crtl-C stops the tshark(s) network capture to *.pcap files and starts a WireShark GUI for each captured *.pcap file.
• The second Ctrl-C kills all the WireShark(s) that are displaying the captured *.pcap files.