Ask Your Question
0

Use a file as a Capture filter

asked 2023-02-07 12:40:31 +0000

jamarincortes123@gmail.com gravatar image

updated 2023-02-08 15:30:25 +0000

grahamb gravatar image

Is it possible to use a file containing filters as a filter itself? Instead of having to write each filter -f ...... -f ....... have a file that contains all the filters I wish to use to capture? What should the format of this file be? How do I create said file?

"Filter1" udp
"Filter2" ip6

When using this file using CMD what would the expression be?

dumpcap -i 5 -???????? -w capture.pcapng
edit retag flag offensive close merge delete

Comments

Chuckc gravatar imageChuckc ( 2023-02-07 15:17:10 +0000 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2023-02-11 12:50:17 +0000

Guy Harris gravatar image

updated 2023-02-11 13:01:50 +0000

and how could I use a file containing multiple filters as a capture filter in tshark on WINDOWS CMD?

Given that cmd.exe doesn't support the backquote mechanism that the UN*X Bourne shell, and compatible shells, has always supported, and doesn't support the newer "$({command})" syntax, either, the answer is "with great difficulty". You might have to extract the appropriate line from the file using the find command, somehow construct and write to a .bat file a dumpcap command that uses that filter, and then run that .bat file.

If PowerShell supports a mechanism that can capture the standard output of a command and then substitute it into a command line, the way the backquote and "$({command})" mechanisms do in Bourne-compatible shells, you could try using that along with the find command.

And to add a comment I just made in issue #18808:

Using tshark rather than dumpcap might be the right choice, given that, if you're not using tshark to dissect the packets as they're being captured, all tshark does is act as a front-end to dumpcap, with dumpcap doing all the real work of capturing to a file or files.

which is also what Chris Maynard said in a comment:

It might be possible to devise a native Windows solution, but is it even worth the effort if you can just use tshark with built-in predef support where you can just use Wireshark's cfilters file instead?

edit flag offensive delete link more
0

answered 2023-02-07 15:20:37 +0000

cmaynard gravatar image

updated 2023-02-08 19:18:37 +0000

Guy Harris gravatar image

On a UN*X system:

You can store a capture filter in a file and then use:

dumpcap -i 5 -f "$(cat capturefilterfile.txt)"

That works if you only have a single capture filter in that file, but if you want to keep multiple capture filters in the file, prepended with some label, then you can also do that as well. Let's assume you prepend each filter like this:

Filter1:udp
Filter2:tcp
Filter3:ip and (udp or tcp)

Then you'll just need to do something like this instead:

dumpcap -i 5 -f "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)"

If you don't want to type that each time, you can simplify things by wrapping it into a script, say dumpcap.sh with contents like:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
dumpcap -i $interface -f "$(grep ^$1 capturefilterfile.txt | cut -d ':' -f 2)"

Now if you want to use the Wireshark cfilters file, then the syntax and parsing is a bit different. For that, you'd need to modify the above dumpcap.sh script to something like this:

#!/bin/sh
if (( $# < 1 ))
then
        echo "Usage: $0 <capturefilterlabel>"
        exit 0
fi

interface=5
cfilterfile=/usr/share/wireshark/cfilters
cfilter=$(grep "^\"$1\"" $cfilterfile | cut -d '"' -f 3 | awk '{$1=$1;print}')
dumpcap -i $interface -f "$cfilter"

See also: https://gitlab.com/wireshark/wireshar...

edit flag offensive delete link more

Comments

Thanks for the answer. Unfortunately it doesn't work for me. When typing the expression into CMD it returns that the capture filter syntax is incorrect. I think this is because it tries putting "$(grep ^Filter3 capturefilterfile.txt | cut -d ':' -f 2)" as a capture filter directly instead of reading that that is supposed to be a file.

C:\Program Files\Wireshark>dumpcap -i 5 -f "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)"

Capturing on 'Wi-Fi' dumpcap: Invalid capture filter "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)" for interface '\Device\NPF_{0C748DDF-3C25-490F-9F22-2073F0FE3785}'.

That string isn't a valid capture filter (can't parse filter expression: syntax error). See the User's Guide for a description of the capture filter syntax.

jamarincortes123@gmail.com gravatar image[email protected] ( 2023-02-08 12:31:04 +0000 )edit

When typing this in, it returns as syntax error. I think it tries to put in the whole expression as a capture file and that is why it doesn't recognise that it is supposed to be a file. C:\Program Files\Wireshark>dumpcap -i 5 -f "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)"
Capturing on 'Wi-Fi' dumpcap: Invalid capture filter "$(grep ^Filter3 filtros.txt | cut -d ':' -f 2)" for interface '\Device\NPF_{0C748DDF-3C25-490F-9F22-2073F0FE3785}'.

That string isn't a valid capture filter (can't parse filter expression: syntax error). See the User's Guide for a description of the capture filter syntax.

jamarincortes123@gmail.com gravatar image[email protected] ( 2023-02-08 12:33:13 +0000 )edit

The commands in the answer won't work on Windows.

grahamb gravatar imagegrahamb ( 2023-02-08 14:24:19 +0000 )edit

what should the command be so that it works on Windows?

jamarincortes123@gmail.com gravatar image[email protected] ( 2023-02-08 14:32:09 +0000 )edit

The commands in the answer won't work on Windows.

I've edited the answer to note that this is for a UN*X command line. It might work in the Windows Subsystem for Linux, if Windows executables such as TShark or dumpcap can be run from the WSL command line.

Guy Harris gravatar imageGuy Harris ( 2023-02-08 19:20:36 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2023-02-07 12:40:31 +0000

Seen: 618 times

Last updated: Feb 11 '23