Hi, Is it possible to use a plaintext file with ip-ranges (CIDR-Notation) in it to exclude specific ip-ranges from the capturing process? If so, how can i do that? Thanks in advance Steve asked 28 Apr '12, 07:49  LA_FORGE |
2 Answers:
at least on unix you can do it this way: [email protected]:/var/tmp# cat excluded-networks Then run this command: [email protected]:/var/tmp# tshark -n host 1.2.3.4 and `perl -pe 'BEGIN {print " ( ip"}; END {print ") "}; $_ =~ s/n//; $_ = " and not net $_ "' < /var/tmp/excluded-networks` Replace the first part of the filter - here 'host 1.2.3.4' with whatever you like. WARNING: If the number of networks gets large (more than 10!), this does NOT scale, as the resulting capture filter will be ways to complex for fast networks!! Regards answered 30 Apr '12, 14:25  Kurt Knochner ♦ edited 30 Apr '12, 14:26 showing 5 of 6 show 1 more comments |
Not directly. You could however, do some scripting to specify as a command line arg a capture filter (or display filter) to wireshark or tshark or a capture filter to dumpcap. See the wireshark/tshark/dumpcap help and man pages. Feel free to submit an enhancement request (or patch implementing the feature) at bugs.wireshark.org answered 30 Apr '12, 10:50  Bill Meier ♦♦ edited 30 Apr '12, 10:52 |
Thank you very much!!
@LA_FORGE I've converted your "answer" into a comment. Please see the FAQ to see how this Q&A site works.
I'm glad that I was able to help...
@Kurt how many ranges are possible on slow networks? The CPU power shouldn't be the problem, i've a 80.000 MIPS machine here
Well, that's really hard to say. It depends on so many parameters. Just out of thin air, I would say around 20-30 (NOT tested!).
Besides the CPU, the max length of the CLI parameters (of the shell) could be a problem too. Maybe there is a limit in tshark regading the length off a capture filter (check the code).
BTW: What are you looking for? Maybe there is a better way to achieve that goal.
I want to exclude many ranges (blacklist) from the capturing process. Since the age of 18 i've been blind and i'm depending on a screenreader software to use the computer. But i don't want to refrain of wireshark/tshark, only the flood of information is the problem for me.