Wireshark-dev: Re: [Wireshark-dev] Add restrictions to arguments of dumpcap

From: Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Thu, 7 May 2009 13:31:13 -0400
On May 7, 2009, at 1:10 AM, Aaron Turner wrote:

On Wed, May 6, 2009 at 8:59 PM, Michael Tüxen
<Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
On May 6, 2009, at 3:40 PM, Aaron Turner wrote:

Personally I think different filters for different interfaces doesn't
make a lot of sense.  I really can't imagine a situation when you'd
need to capture different kinds of packets on different interfaces but
write to a single file.
For SCTP I might want to capture on two different interfaces
traffic belonging to the same transport connection. I might want
to filter on different destination addresses:
dumpcap -n -i en0 -f sctp && host a.b.c.d -i en1 -f sctp && host e.f.g.h

I'm not sctp knowledgeable, but is there a reason you couldn't just
write a single filter for both interfaces as:

sctp && (host a.b.c.d || host e.f.g.h)
You could do that... But this does not work for the -y option
when capturing on different physical interfaces...


At least, I think it's fair to say that single filter w/ multiple
interfaces is a more common case then multiple filters & multiple
interfaces.  Ideally the more common case shouldn't require you to
specify the same filter twice.
But I need a way to distinguish whether this filter applies for
all interfaces or only for one...

Fair enough, but it is my opinion that the vast majority of users
don't need this functionality.

So we could do
dumpcap -f sctp -n -i en0 -i en1
(filter before interface) to mean setting for all interfaces
and
dumpcap -n -i en0 -f sctp -i en1
(filter after interface) that sctp is used only for en0 and en1
has no capture filter.

What do you think about this?

I think this is confusing to many people and is more likely to have
unintended consequences.   Most users don't consider CLI option
ordering to have special meaning.  Personally, I prefer Stephen's
suggestion of directly linking the filter to the interface ala -i
en0:"sctp && host a.b.c.d" if you want to get fancy.

It also means the old style cli args could easliy be grand-fathered in
(any interface without a specific filter uses the global filter).

--
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
   -- Benjamin Franklin
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe