This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use CaptureFilters as DisplayFilters

0

I'm wondering if there's a way in Wireshark to use Capture Filters in the Display Filters input box? I need this because I want to check a Capture Filter on a known PCAP before applying it somewhere else.

Is this at all possible (even through a plugin) ?

asked 30 Jul '13, 06:32

Astraa's gravatar image

Astraa
11112
accept rate: 0%

One Answer:

2

I want to check a Capture Filter on a known PCAP before applying it somewhere else

If by "check" you mean "make sure it filters the packets I expect it to filter", try running tcpdump on it; tcpdump uses libpcap filters. You could do tcpdump -r {input_file} {filter} and see whether it prints the packets you want, or tcpdump -r {input_file} -w {output_file} {filter} and then read {output_file} with Wireshark.

There's no way to use capture filters as display filters in Wireshark, and there's no "plugin point" that would make it possible for a plugin to do so.

answered 30 Jul '13, 11:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I often go the tcpdump route myself.

However, it would be a nice feature to be able to filter with a capture (BPF) filter in Wireshark, as there are some things a BPF filter can do that a display filter can't do.

(31 Jul '13, 01:41) SYN-bit ♦♦

Or use WinDump if you're on Windows.

And if anyone ever decides to try to resolve bug 1814, then it might be possible in the future to do something like:

  • Windows: type file.pcap | tshark.exe -i - -f "capture filter"
  • *nix: cat file.pcap | tshark -i - -f "capture filter"
(31 Jul '13, 10:40) cmaynard ♦♦