On Apr 24, 2009, at 3:13 PM, gogrady@xxxxxxxxx wrote:
I want to be able to use my custom protocol as a capture filter, how
do i do this?
Capture filters are implemented by libpcap/WinPcap, not Wireshark, and
are limited in their capabilities, as they are implemented by a simple
mechanism designed to be capable of being implemented safely in the
kernel (so that packets can be filtered out in the kernel and not
copied to user space if they don't pass the filter; see
http://www.tcpdump.org/papers/bpf-usenix93.pdf
for the rationale behind BPF).
See the "expression" section of
http://www.tcpdump.org/tcpdump_man.html
for a full and complete description of what you can do with capture
filters. Unless you can express your desired capture filter in terms
of things such as TCP or UDP port numbers, or expressions that might
be able to look at the TCP or UDP payload, you cannot create a filter
to try to capture only traffic for your protocol.