This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using BPF on a .pcap file

0

So I have a whatever.pcap file and load it into Wireshark. I do not want to use the native Wireshark display filters, but use BPF to filter through my traffic.

I know I can use BPF to filter traffic during the capture, but I want to be able to use it after the capture as well.

Is there a way to do this?

asked 06 Jun '12, 12:45

wormy638's gravatar image

wormy638
6112
accept rate: 0%


2 Answers:

0
tcpdump -r {your pcap file} -w {a filtered pcap file} {libpcap-style filter expression}

and then read the filtered file in Wireshark. There's no way to do that in Wireshark, and there probably never will be, for the reasons noted in the other answer.

answered 06 Jun '12, 18:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 06 Jun '12, 18:50

1

Well, this could be an applicable real-life problem: I'm making a capture at one point in the network (using a capture filter to get rid of uninteresting stuff), while my co-worker does it at his end. After a lot of testing we've been able to reproduce the problem (Yeah!). Now I have two files to compare, where the co-workers' file has all this extra 'crap' in it, because he forgot to apply the agreed capture filter (#&$#%*!). Now I want to post-BPF it before starting my comparison.

(07 Jun '12, 04:33) Jaap ♦

Now I want to post-BPF it before starting my comparison.

The code to filter on BPF is already there and if one adds a file read option to dumpcap (-r, pcap_open_offline()), it would be possible to have that functionality in wireshark/tshark too, right? Would such an option break something in dumpcap?

(08 Jun '12, 06:06) Kurt Knochner ♦

0

No, there is no way to do this within the Wireshark GUI. The only place you can enter filters in BPF syntax is in the capture filter field.

This sounds like a solution in search of a problem. The only reason I can think of to avoid display filter syntax is to avoid the learning curve. However, a little time invested in learning display filter syntax is well worth the effort. Wireshark display filters have many, many more options than capture filters and are much more flexible and powerful.

answered 06 Jun '12, 13:46

Jim%20Aragon's gravatar image

Jim Aragon
7.2k733118
accept rate: 24%