The following works to perform a network trace for 1 hour (-a duration:3600) and to create multiple files of 10MB in size (-b filesize:10240). Files will have a “test” (-w test) prefix. The “-p” is to capture in promiscus mode. This uses less system resources than trying to achieve the same thing using the wireshark gui.

dumpcap -a duration:3600 -b filesize:10240 -w test -p

To merge all the captures in one file:

mergecap -w bigfile littlefiles

For example:

mergecap -w all.cap one.cap two.cap etc.cap

Or:

mergecap -w all.cap small*.cap

To use tshark (installed with wireshark) to filter a capture without using the GUI (much more efficient):

tshark -R “anydisplayfilters” -r inputfilename -w outputfilename

For example, here are two display filter examples. They are similar to the ones used in wireshark GUI. I kept trying to tcpdump filters, which work fine for capturing.:
tshark -R “ip.addr == 192.168.34.51” -r in.cap -w out-filtered.cap
tshark -R “ip.addr == 192.168.34.0/24” -r in.cap -w out-filtered.cap

Filter notes:
How to filter a time range:
(frame.time >= “mmm dd, yyyy hh:mm:ss”) && (frame.time <= "mmm dd, yyyy hh:mm:ss")