Wireshark-users: Re: [Wireshark-users] Is it a bug with Wireshark?

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Vinay Chilakamarri" <vinay.chilakamarri@xxxxxxxxx>
Date: Tue, 15 Apr 2008 11:52:24 -0700
Hi,

Since I cannot specify a display filter as a command line argument to Wireshark, I want to know if there is a way for me to specify this in some way so that Wireshark displays only those packets that meet the condition that I gave. I am pretty new to this capturing stuff so please give me any suggestions that I can apply in this case.

Thanks!

On Tue, Apr 15, 2008 at 5:13 AM, Jason <wireshark@xxxxxxxxxxxxxx> wrote:
Guy Harris wrote:
> Jason wrote:
>
>> However, the OP of this thread appeared to be talking about using '-R'
>> to set the Display Filter in wireshark during an autostarted, '-k', live
>> capture.  So, we're not looking for setting a capture filter with '-R'
>> like tshark does for reading files.  Only to set the Diplay Filter when
>> autostarting.  Maybe it should have a different switch, to clarify it.
>
> Given that the "R" in "-R" stands for "read", as in "read filter", as in
> "filter that's applied when reading packets", that would be the wrong
> flag for a *display* filter that's not applied when Wireshark initially
> reads in the packets - i.e., a "set the display filter" flag wouldn't
> cause packets that don't match the filter to be discarded when the
> capture is being read, it would just cause them not to be displayed -
> clearing the display filter would show those packets.

mmmmm, suddenly '-y' and '-k' make perfect sense ;-)

Since '-D' is taken by:

  -D                       print list of interfaces and exit

how about '-d'?  Like so:

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -d <display filter>      set display filter on start (def: none)
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

I had a patch which used the display filter compiler on the '-R'
argument and set the running display filter.  Unfortunately, I might
have wiped it during a recent cleanup.  It wasn't too difficult.  iirc,
it was all in gtk/main.c  I had some trouble (I think with the gtk side
of it) that it wouldn't always show the text of the filter in the
Display Filter text entry box...

Jason.
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users