 | 1 | initial version |
Not with Wireshark, but you could do it with tcpdump/WinDump, which supports filtering when reading a capture file, and uses libpcap/WinPcap filters, which is what Wireshark uses as a capture filter.
If you do `tcpdump -r {input file} -w {output file} {filter}", and then read the output file, that'll show you what packets in the input file would be matched by the filter.
| | 2 | No.2 Revision |
Not with Wireshark, but you could do it with tcpdump/WinDump, which supports filtering when reading a capture file, and uses libpcap/WinPcap filters, which is what Wireshark uses as a capture filter.
If you do `tcpdump -r {input file} -w {output file} {filter}", and then read the output file, that'll show you what packets in the input file would be matched by the filter.
Note, by the way, that not all display filters can be converted to capture filters; the engine that produces the fields that a display filter can test is the same engine that does detailed dissection of packets, but the engine that performs capture filtering is a small pseudo-machine that cannot, for example, execute loops (because that engine can execute in an OS in kernel mode, and they creators of that engine didn't want a program to be able to put the OS kernel into an infinite loop).
