Is it possible to use a file containing filters as a filter itself? Instead of having to write each filter -f ...... -f ....... have a file that contains all the filters I wish to use to capture? What should the format of this file be? How do I create said file?
"Filter1" udp
"Filter2" ip6
When using this file using CMD what would the expression be?
dumpcap -i 5 -???????? -w capture.pcapng
and how could I use a file containing multiple filters as a capture filter in tshark on WINDOWS CMD?
Given that cmd.exe doesn't support the backquote mechanism that the UN*X Bourne shell, and compatible shells, has always supported, and doesn't support the newer "$({command})" syntax, either, the answer is "with great difficulty". You might have to extract the appropriate line from the file using the find command, somehow construct and write to a .bat file a dumpcap command that uses that filter, and then run that .bat file.
If PowerShell supports a mechanism that can capture the standard output of a command and then substitute it into a command line, the way the backquote and "$({command})" mechanisms do in Bourne-compatible shells, you could try using that along with the find command.
And to add a comment I just made in issue #18808:
Using tshark rather than dumpcap might be the right choice, given that, if you're not using tshark to dissect the packets as they're being captured, all tshark does is act as a front-end to dumpcap, with dumpcap doing all the real work of capturing to a file or files.
which is also what Chris Maynard said in a comment:
It might be possible to devise a native Windows solution, but is it even worth the effort if you can just use
tsharkwith built-in predef support where you can just use Wireshark'scfiltersfile instead?
On a UN*X system:
You can store a capture filter in a file and then use:
dumpcap -i 5 -f "$(cat capturefilterfile.txt)"
That works if you only have a single capture filter in that file, but if you want to keep multiple capture filters in the file, prepended with some label, then you can also do that as well. Let's assume you prepend each filter like this:
Filter1:udp
Filter2:tcp
Filter3:ip and (udp or tcp)
Then you'll just need to do something like this instead:
dumpcap -i 5 -f "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)"
If you don't want to type that each time, you can simplify things by wrapping it into a script, say dumpcap.sh with contents like:
#!/bin/sh
if (( $# < 1 ))
then
echo "Usage: $0 <capturefilterlabel>"
exit 0
fi
interface=5
dumpcap -i $interface -f "$(grep ^$1 capturefilterfile.txt | cut -d ':' -f 2)"
Now if you want to use the Wireshark cfilters file, then the syntax and parsing is a bit different. For that, you'd need to modify the above dumpcap.sh script to something like this:
#!/bin/sh
if (( $# < 1 ))
then
echo "Usage: $0 <capturefilterlabel>"
exit 0
fi
interface=5
cfilterfile=/usr/share/wireshark/cfilters
cfilter=$(grep "^\"$1\"" $cfilterfile | cut -d '"' -f 3 | awk '{$1=$1;print}')
dumpcap -i $interface -f "$cfilter"
See also: https://gitlab.com/wireshark/wireshar...
Thanks for the answer. Unfortunately it doesn't work for me. When typing the expression into CMD it returns that the capture filter syntax is incorrect. I think this is because it tries putting "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)" as a capture filter directly instead of reading that that is supposed to be a file.
C:\Program Files\Wireshark>dumpcap -i 5 -f "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)"
Capturing on 'Wi-Fi' dumpcap: Invalid capture filter "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)" for interface '\Device\NPF_{0C748DDF-3C25-490F-9F22-2073F0FE3785}'.
That string isn't a valid capture filter (can't parse filter expression: syntax error). See the User's Guide for a description of the capture filter syntax.
When typing this in, it returns as syntax error. I think it tries to put in the whole expression as a capture file and that is why it doesn't recognise that it is supposed to be a file. C:\Program Files\Wireshark>dumpcap -i 5 -f "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)"
Capturing on 'Wi-Fi'
dumpcap: Invalid capture filter "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)" for interface '\Device\NPF_{0C748DDF-3C25-490F-9F22-2073F0FE3785}'.
That string isn't a valid capture filter (can't parse filter expression: syntax error). See the User's Guide for a description of the capture filter syntax.
what should the command be so that it works on Windows?
The commands in the answer won't work on Windows.
I've edited the answer to note that this is for a UN*X command line. It might work in the Windows Subsystem for Linux, if Windows executables such as TShark or dumpcap can be run from the WSL command line.
Asked: 2023-02-07 12:40:31 +0000
Seen: 618 times
Last updated: Feb 11 '23
The dumpcap man page says
predefshould work but doesn't seem to be implemented:8091: Allow/Create an option to use "capture filter" labels defined in wireshark GUI from CLI