Wireshark-dev: [Wireshark-dev] Automatically stopping a live capture after specific packet cont

From: Dylan Ulis <daulis0@xxxxxxxxx>
Date: Mon, 2 Jul 2018 23:12:25 -0400
All,

I talked to Roland, Peter and Graham at SF about this, but I didn't get the answer I wanted, so I figured I'd give it a try to implement:)

I'd like to automatically stop a live capture after some specific thing is seen in a packet - using either a BPF style filter or a display filter. I think display filters are a little easier for users, since many users are more familiar with them. Dumpcap.bat (https://wiki.wireshark.org/Tools) has similar functionality (using BPF filters), but it's specific to Windows, and I'd like to have something built into Wireshark to make it easy.

It's a useful feature because:
1. It's often easier when the symptom of a problem is the last packet in a capture, and you can scroll up in the trace to see what caused it.
2. For ring buffers, sometimes the data is lost after letting a capture run for long periods of time. Very long running captures are common where I work for many test scenarios.

My idea:
1. GUI: Capture -> Options -> Options. Under "Stop capture automatically after", add a new option for X "matches of current display filter" or "number of displayed packets".  Where X is an integer (like the other options).
2. file.c: When capture_file.displayed_count >= X, Stop the live capture.

Questions:
1. How can I signal from file.c into wherever in the GUI can stop the capture?
2. Anything that you think will cause me problems with this approach?

I'm willing to give this a try, even if you don't like the idea right now. I think it would help to see a prototype in Gerrit after I work through it.

Thanks,
Dylan