Ask Your Question
0

Is it possible to test a capture filter with already captured traffic?

asked 2017-12-22 15:52:25 +0000

nignasi gravatar image

Suppose I have some captured traffic where I apply a display filter which shows the frames I want. Now I would like to convert the display filter to capture filter and use it on real traffic. But before using it I would like to test it over the captured traffic. Is it possible?

Rephrasing, I would like to feed wireshark with an existing pcap file to get a new one through a capture filter.

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
1

answered 2017-12-22 18:21:28 +0000

Guy Harris gravatar image

updated 2017-12-22 18:24:23 +0000

Not with Wireshark, but you could do it with tcpdump/WinDump, which supports filtering when reading a capture file, and uses libpcap/WinPcap filters, which is what Wireshark uses as a capture filter.

If you do `tcpdump -r {input file} -w {output file} {filter}", and then read the output file, that'll show you what packets in the input file would be matched by the filter.

Note, by the way, that not all display filters can be converted to capture filters; the engine that produces the fields that a display filter can test is the same engine that does detailed dissection of packets, but the engine that performs capture filtering is a small pseudo-machine that cannot, for example, execute loops (because that engine can execute in an OS in kernel mode, and they creators of that engine didn't want a program to be able to put the OS kernel into an infinite loop).

edit flag offensive delete link more
add a comment
0

answered 2017-12-22 19:47:12 +0000

csereno gravatar image

You could also replay the traffic in a lab scenario using a tool such as tcpreplay, netcat, etc and setup and test your capture as many times as you'd like.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2017-12-22 15:52:25 +0000

Seen: 2,123 times

Last updated: Dec 22 '17

Related questions

How would I map this display filter to a capture filter?

Can't capture TLS certificate

Can I create a capture filter on a pcap file

Resolve frame subtype and export to csv

Error on Mac! Could not create profiles directory? Help!

How to create capture filter based on partial MAC address?

How to go back to start screen?

Capture Filters - What am I doing wrong?

capture filter: access data behind tcp header

Capture Filter for TLS

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2