Wireshark-dev: Re: [Wireshark-dev] Add restrictions to arguments of dumpcap

From: Nathan Jennings <njen@xxxxxxxxxxxx>
Date: Thu, 07 May 2009 14:34:21 -0400
On 5/7/2009 9:10 AM, S�bastien Tandel wrote:
On Thu, May 7, 2009 at 03:05, Stephen Donnelly <stephen@xxxxxxxxxx> wrote:

Aaron Turner wrote:
On Wed, May 6, 2009 at 8:59 PM, Michael T�xen
<Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
On May 6, 2009, at 3:40 PM, Aaron Turner wrote:
I think this is confusing to many people and is more likely to have
unintended consequences.   Most users don't consider CLI option
ordering to have special meaning.  Personally, I prefer Stephen's
suggestion of directly linking the filter to the interface ala -i
en0:"sctp && host a.b.c.d" if you want to get fancy.

It also means the old style cli args could easliy be grand-fathered in
(any interface without a specific filter uses the global filter).

Completely agree to define something which is explicitly linked to which
interface the filter belongs. Ordering parameters is not intuitive.


I you do decide to go this way, ':' might not be the best delimiter
character to use. It is already used in libpcap interface names and
could cause parsing headaches.

I think some OSes use ':' in vlan interface names? Also ':' is used in
dag interface names to indicate sub streams, e.g. "dag0:2".


':' is indeed confusing. It is used by Linux to define virtual interfaces
like eth0:1


I had also thought of suggesting ":", but see the overloading problem now as Stephen D. pointed out... which reminded me of maybe another potential clash:

From a "preferences" file:

<... snip ...>
# Interface descriptions.
# Ex: eth0(eth0 descr),eth1(eth1 descr),...
capture.devices_descr: \Device\NPF_{"Windows-string"}(Intel NIC)
</snip>

... although I can't think of a clash with this off-hand right now.

Maybe this is better?:

dumpcap -n -i dag0:2,"sctp && host 1.2.3.4" -i en0

In the parser, you should probably check for and allow use of single quotes too (e.g. shell scripts), like:

dumpcap -n -i dag0:2,'sctp && host 1.2.3.4' -i en0

So any trailing capture filter on the command-line would apply to interfaces that do *NOT* have a format like:

<interface_name>,<filter_string>

-Nathan