All,
I talked to Roland, Peter and Graham at SF about this, but I didn't get the answer I wanted, so I figured I'd give it a try to implement:)
I'd like to automatically stop a live capture after some specific thing is seen in a packet - using either a BPF style filter or a display filter. I think display filters are a little easier for users, since many users are more familiar with them. Dumpcap.bat (
https://wiki.wireshark.org/Tools) has similar functionality (using BPF filters), but it's specific to Windows, and I'd like to have something built into Wireshark to make it easy.
It's a useful feature because:
1. It's often easier when the symptom of a problem is the last packet in a capture, and you can scroll up in the trace to see what caused it.
2. For ring buffers, sometimes the data is lost after letting a capture run for long periods of time. Very long running captures are common where I work for many test scenarios.
My idea:
1. GUI: Capture -> Options -> Options. Under "Stop capture automatically after", add a new option for X "matches of current display filter" or "number of displayed packets". Where X is an integer (like the other options).
2. file.c: When capture_file.displayed_count >= X, Stop the live capture.
Questions:
1. How can I signal from file.c into wherever in the GUI can stop the capture?
2. Anything that you think will cause me problems with this approach?
I'm willing to give this a try, even if you don't like the idea right now. I think it would help to see a prototype in Gerrit after I work through it.
Thanks,
Dylan