Ask Your Question
0

Auto Wireshark Profile Capture

asked 2021-03-07 11:52:59 +0000

madmin gravatar image

Hi, EveryOne!

Let say i have a default profile and i want to create a new profile to capture only #DNS_TRAFFIC !

Question :: without retyping MANUALYY the dns filter expression or click on a button, is it possible to capture automatically the the traffic from all profiles once the capture process is starting on the interface!

Best Regards

edit retag flag offensive close merge delete

Comments

You want to be able to automatically capture the traffic from all profiles? What does that mean?

You can run Wireshark from the command-line (in a script or shortcut if it's easier) and specify any options you want, including the interface to capture on (-i <interface>), the profile to use (-C <configuration profile>), the capture filter to apply (-f <capture filter>), dissector options (-o <preference/recent setting>) and more. I'm not sure if that's what you're looking for? Refer to the Wireshark man page for more details on the command-line options.

cmaynard gravatar imagecmaynard ( 2021-03-07 16:22:24 +0000 )edit

Do you really want Wireshark to capture only DNS? A capture is different from a display filter. - The capture filter will only allow DNS packets into the buffer. Basically, all packets that don't match your capture filter are discarded and there is no way to go back and retrieve them. - The display filter will display on DNS packets in your packet capture

Answer to capture filter is to create a Wireshark shortcut with the startup options you need.

BigFatCat gravatar imageBigFatCat ( 2021-03-11 21:49:04 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-03-08 08:47:23 +0000

hugo.vanderkooij gravatar image

The profile does not determine your capture filter.

edit flag offensive delete link more

Comments

i feel like it's more clear now. my question was if it is possible to save the filter in a profile so if i switch between profiles i will find the traffic filtered rather then manually retype the BIG* filter *expression! i can use now buttons as Exemple to save time. Right??

madmin gravatar imagemadmin ( 2021-03-08 09:20:01 +0000 )edit

You can save your display filter expressions as buttons if that is what you mean. Just type in the filter and press the + next to the filter field. You can also create a menu to group different display filters by using the label format:

  • Group1//Filter1
  • Group1//Filter2

  • Group1//Filter3

  • Group2//Filter1

  • Group2//Filter2
  • Group2//Filter3

This will create two menues with each of 3 filters. The filters will be only available in the current profile.

JasMan gravatar imageJasMan ( 2021-03-10 20:33:48 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2021-03-07 11:52:59 +0000

Seen: 1,306 times

Last updated: Mar 08 '21

Related questions

How can I best compare two profiles?

filtering open ports on wireshark

Finding a gap in length or id

ERSPAN ID - Adding Information to captured packets

tshark -C $profile produces "Configuration Profile does not exist"

Is it possible to use an arp cache in your profile?

Using a vlans file in profile

How can I search within data, specifically in the TCP segment data?

How to find the make and model of a local router? [closed]

Filter URL By Number Characters