Wireshark-dev: Re: [Wireshark-dev] Capture Filter

Date: Fri, 24 Apr 2009 22:43:15 +0000
Thanks for the response. I'll take a look at that. Is there a way to save just my protocol packets?

Greg
---- Guy Harris <guy@xxxxxxxxxxxx> wrote: 

=============

On Apr 24, 2009, at 3:13 PM, gogrady@xxxxxxxxx wrote:

> I want to be able to use my custom protocol as a capture filter, how  
> do i do this?

Capture filters are implemented by libpcap/WinPcap, not Wireshark, and  
are limited in their capabilities, as they are implemented by a simple  
mechanism designed to be capable of being implemented safely in the  
kernel (so that packets can be filtered out in the kernel and not  
copied to user space if they don't pass the filter; see

	http://www.tcpdump.org/papers/bpf-usenix93.pdf

for the rationale behind BPF).

See the "expression" section of

	http://www.tcpdump.org/tcpdump_man.html

for a full and complete description of what you can do with capture  
filters.  Unless you can express your desired capture filter in terms  
of things such as TCP or UDP port numbers, or expressions that might  
be able to look at the TCP or UDP payload, you cannot create a filter  
to try to capture only traffic for your protocol.
___________________________________________________