This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Use plaintext file for a capturing filter

0

Hi,

Is it possible to use a plaintext file with ip-ranges (CIDR-Notation) in it to exclude specific ip-ranges from the capturing process? If so, how can i do that?

Thanks in advance

Steve

asked 28 Apr '12, 07:49

LA_FORGE's gravatar image

LA_FORGE
6113
accept rate: 0%


2 Answers:

1

at least on unix you can do it this way:

[email protected]:/var/tmp# cat excluded-networks
10.1.1.0/24
10.1.2.0/24
192.168.0.0/16

Then run this command:

[email protected]:/var/tmp# tshark -n host 1.2.3.4 and `perl -pe 'BEGIN {print " ( ip"}; END {print ") "}; $_ =~ s/n//; $_ = " and not net $_ "' < /var/tmp/excluded-networks`

Replace the first part of the filter - here 'host 1.2.3.4' with whatever you like.

WARNING: If the number of networks gets large (more than 10!), this does NOT scale, as the resulting capture filter will be ways to complex for fast networks!!

Regards
Kurt

answered 30 Apr '12, 14:25

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Apr '12, 14:26

Thank you very much!!

(01 May '12, 08:36) LA_FORGE

@LA_FORGE I've converted your "answer" into a comment. Please see the FAQ to see how this Q&A site works.

(01 May '12, 09:45) multipleinte...

I'm glad that I was able to help...

(01 May '12, 11:53) Kurt Knochner ♦

@Kurt how many ranges are possible on slow networks? The CPU power shouldn't be the problem, i've a 80.000 MIPS machine here

(01 May '12, 14:00) LA_FORGE

Well, that's really hard to say. It depends on so many parameters. Just out of thin air, I would say around 20-30 (NOT tested!).

Besides the CPU, the max length of the CLI parameters (of the shell) could be a problem too. Maybe there is a limit in tshark regading the length off a capture filter (check the code).

BTW: What are you looking for? Maybe there is a better way to achieve that goal.

(01 May '12, 14:38) Kurt Knochner ♦

I want to exclude many ranges (blacklist) from the capturing process. Since the age of 18 i've been blind and i'm depending on a screenreader software to use the computer. But i don't want to refrain of wireshark/tshark, only the flood of information is the problem for me.

(02 May '12, 13:05) LA_FORGE
showing 5 of 6 show 1 more comments

0

Not directly.

You could however, do some scripting to specify as a command line arg a capture filter (or display filter) to wireshark or tshark or a capture filter to dumpcap.

See the wireshark/tshark/dumpcap help and man pages.

Feel free to submit an enhancement request (or patch implementing the feature) at bugs.wireshark.org

answered 30 Apr '12, 10:50

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 30 Apr '12, 10:52