Is it possible to use tshark to check whether one or more ip addresses appear in a pcap file? I know that I can display all occurrences with tshark -r infile -w outfile ip.addr==172.26.29.2 || ip.addr==172.26.31.21, but is there an option to not display all (maybe only the first occurrence.)?
You should be able to achieve this, either taking these few steps:
Get the list of all source IP addresses:
tshark -r infile -Y "ip" -T fields -e ip.src > infile_ips.txt
Append with the list of all destination IP addresses:
tshark -r infile -Y "ip" -T fields -e ip.dst >> infile_ips.txt
Ensure all IPs are listed on separate lines, which they might not be in the case of tunneled IPs or for ICMP errors, then sort the list and eliminate duplicates:
cat infile_ips.txt | tr , '\n' | sort -u
Or a bit more easily using this single step:
tshark -r infile -Y "ip" -T fields -e ip.addr | tr , '\n' | sort -u
Once you have the list of all unique IP addresses present in the capture file, you can search that list for whatever IP address you're interested in by using grep or by whatever other means you want.
Refer to the tshark man page for more information regarding the options I used above.