Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-02-07 15:20:37 +0000

cmaynard gravatar image

You can store a capture filter in a file and then use:

dumpcap -i 5 -f "$(cat capturefilterfile.txt)"

That works if you only have a single capture filter in that file, but if you want to keep multiple capture filters in the file, prepended with some label, then you can also do that as well. Let's assume you prepend each filter like this:

Filter1:udp
Filter2:tcp
Filter3:ip and (udp or tcp)

Then you'll just need to do something like this instead:

dumpcap -i 5 -f "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)"

If you don't want to type that each time, you can simplify things by wrapping it into a script, say dumpcap.sh with contents like:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

dumpcap -i 5 -f "$(grep ^$1 capturefilterfile.txt | cut -d ':' -f 2)"

You can store a capture filter in a file and then use:

dumpcap -i 5 -f "$(cat capturefilterfile.txt)"

That works if you only have a single capture filter in that file, but if you want to keep multiple capture filters in the file, prepended with some label, then you can also do that as well. Let's assume you prepend each filter like this:

Filter1:udp
Filter2:tcp
Filter3:ip and (udp or tcp)

Then you'll just need to do something like this instead:

dumpcap -i 5 -f "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)"

If you don't want to type that each time, you can simplify things by wrapping it into a script, say dumpcap.sh with contents like:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
dumpcap -i 5 $interface -f "$(grep ^$1 capturefilterfile.txt | cut -d ':' -f 2)"

Now if you want to use the Wireshark cfilters file, then the syntax and parsing is a bit different. For that, you'd need to modify the above dumpcap.sh script to something like this:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
cfilterfile=/usr/share/wireshark/cfilters
cfilter=$(grep "^\"$1\"" $cfilterfile | cut -d '"' -f 3 | awk '{$1=$1;print}')
dumpcap -i $interface -f "$cfilter"

You can store a capture filter in a file and then use:

dumpcap -i 5 -f "$(cat capturefilterfile.txt)"

That works if you only have a single capture filter in that file, but if you want to keep multiple capture filters in the file, prepended with some label, then you can also do that as well. Let's assume you prepend each filter like this:

Filter1:udp
Filter2:tcp
Filter3:ip and (udp or tcp)

Then you'll just need to do something like this instead:

dumpcap -i 5 -f "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)"

If you don't want to type that each time, you can simplify things by wrapping it into a script, say dumpcap.sh with contents like:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
dumpcap -i $interface -f "$(grep ^$1 capturefilterfile.txt | cut -d ':' -f 2)"

Now if you want to use the Wireshark cfilters file, then the syntax and parsing is a bit different. For that, you'd need to modify the above dumpcap.sh script to something like this:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
cfilterfile=/usr/share/wireshark/cfilters
cfilter=$(grep "^\"$1\"" $cfilterfile | cut -d '"' -f 3 | awk '{$1=$1;print}')
dumpcap -i $interface -f "$cfilter"

See also: https://gitlab.com/wireshark/wireshark/-/issues/8091
click to hide/show revision 4
No.4 Revision

updated 2023-02-08 19:18:37 +0000

Guy Harris gravatar image

On a UN*X system:

You can store a capture filter in a file and then use:

dumpcap -i 5 -f "$(cat capturefilterfile.txt)"

That works if you only have a single capture filter in that file, but if you want to keep multiple capture filters in the file, prepended with some label, then you can also do that as well. Let's assume you prepend each filter like this:

Filter1:udp
Filter2:tcp
Filter3:ip and (udp or tcp)

Then you'll just need to do something like this instead:

dumpcap -i 5 -f "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)"

If you don't want to type that each time, you can simplify things by wrapping it into a script, say dumpcap.sh with contents like:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
dumpcap -i $interface -f "$(grep ^$1 capturefilterfile.txt | cut -d ':' -f 2)"

Now if you want to use the Wireshark cfilters file, then the syntax and parsing is a bit different. For that, you'd need to modify the above dumpcap.sh script to something like this:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
cfilterfile=/usr/share/wireshark/cfilters
cfilter=$(grep "^\"$1\"" $cfilterfile | cut -d '"' -f 3 | awk '{$1=$1;print}')
dumpcap -i $interface -f "$cfilter"

See also: https://gitlab.com/wireshark/wireshark/-/issues/8091

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2