On Jan 9, 2019, at 9:29 PM, Albretch Mueller <lbrtchx@xxxxxxxxx> wrote:
> in order for only that kind of traffic to be logged to a file?
>
> You could indicate the interface to listen to with:
>
> wireshark -i <interface>
>
> but how do you also indicate that all traffic to certain IP addresses
> should be "followed" and streamed to a certain file on exit?
(Note: the traffic isn't sent to a capture file on exit; Wireshark doesn't capture packets and store them in memory, and only write them out to a file on a save, it writes packets to a file as they're captured - "saving" to a file could involve renaming the file, if it's a temporary file, or copying it to a new location. And the save is just a sequence of writes - it's not "streamed" in any sense that you can follow the stream; you have to wait for Wireshark to finish writing it, and only read it when it's done, unless you don't mind running the risk of errors reading from a partially-written file.)
The way you set a capture filter from the command line is, to quote the man page:
-f <capture filter>
Set the capture filter expression.
This option can occur multiple times. If used before the first
occurrence of the -i option, it sets the default capture filter
expression. If used after an -i option, it sets the capture filter
expression for the interface specified by the last -i option
occurring before this option. If the capture filter expression is
not set specifically, the default capture filter expression is used
if provided.
Pre‐defined capture filter names, as shown in the GUI menu itemy,
Capture->Capture Filters, can be used by prefixing the argument
with "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter"
So you'd do something such as
wireshark -i <interface> -f "host <IP address 1> or <IP address 2> or ... or <IP address N>"
Note, by the way, that if you also pass the -k flag, Wireshark will start capturing as soon as it's finished initializing, so you don't have to click anything to start it.