This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to automate some testing for a couple of users. They require that wireshark starts automatically when they run a shell script. I have that part working.

But they have a request for having a filter already enabled when they start the wireshark gui. For example ip.src == W.X.Y.Z

So the question is: Is it possible to start wireshark from command line and automatically have a display filter already applied when wireshark comes up?

Thanks for the help in advance.

asked 06 Dec '10, 16:36

ValkyrieHrist's gravatar image

ValkyrieHrist
1111
accept rate: 0%

This is not an answer since you clearly indicate you want to have a default display filter loaded. This seems to work fine with capture filter syntax ( -f "ip src W.X.Y.Z ). However, at least in 1.4, I am unable to load a default display filter by command line ( -R "ip.addr==W.X.Y.Z" ). I know this is in the "processing" parameter. However, unlike resolution, it seems to only work when pulling a file in with ( -R <filename> ). It may be by design. I hope someone has an answer for you.

(06 Dec '10, 17:21) Paul Stewart

In theory, "-R filter_expression" could be used to automatically apply a display filter, but I don't know enough about gtk programming to know for sure or to be able to implement this myself. You might want to file an enhancement bug request for this at https://bugs.wireshark.org/bugzilla/, and if it's possible and if there's sufficient interest, perhaps someone will implement it for you.

(29 Mar '11, 07:44) cmaynard ♦♦

Actually, "-R filter_expression" adds a read filter, which, when you read the file in, discards packets that don't match; that means that you can't then change the filter within the same Wireshark session, e.g. remove it and see all the packets. This may or may not be what the person who asked the original question wants.

(30 Mar '11, 10:26) Guy Harris ♦♦

Right, that's the behavior of "-R" when reading a capture file. When starting Wireshark from the command-line but not reading a capture file, then "-R" is currently ignored. I was throwing out the idea that "-R"'s behavior could possibly be modified to meet the needs of the OP. (Either that, or a new option could be added, but since "-R" is not used in that case anyway, I thought it could be, which would avoid having to add another option.)

(01 Apr '11, 08:12) cmaynard ♦♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×9

question asked: 06 Dec '10, 16:36

question was seen: 3,518 times

last updated: 01 Apr '11, 08:12

p​o​w​e​r​e​d by O​S​Q​A