I am trying to automate some testing for a couple of users. They require that wireshark starts automatically when they run a shell script. I have that part working. But they have a request for having a filter already enabled when they start the wireshark gui. For example ip.src == W.X.Y.Z So the question is: Is it possible to start wireshark from command line and automatically have a display filter already applied when wireshark comes up? Thanks for the help in advance. asked 06 Dec '10, 16:36 ValkyrieHrist |
This is not an answer since you clearly indicate you want to have a default display filter loaded. This seems to work fine with capture filter syntax ( -f "ip src W.X.Y.Z ). However, at least in 1.4, I am unable to load a default display filter by command line ( -R "ip.addr==W.X.Y.Z" ). I know this is in the "processing" parameter. However, unlike resolution, it seems to only work when pulling a file in with ( -R <filename> ). It may be by design. I hope someone has an answer for you.
In theory, "-R filter_expression" could be used to automatically apply a display filter, but I don't know enough about gtk programming to know for sure or to be able to implement this myself. You might want to file an enhancement bug request for this at https://bugs.wireshark.org/bugzilla/, and if it's possible and if there's sufficient interest, perhaps someone will implement it for you.
Actually, "-R filter_expression" adds a read filter, which, when you read the file in, discards packets that don't match; that means that you can't then change the filter within the same Wireshark session, e.g. remove it and see all the packets. This may or may not be what the person who asked the original question wants.
Right, that's the behavior of "-R" when reading a capture file. When starting Wireshark from the command-line but not reading a capture file, then "-R" is currently ignored. I was throwing out the idea that "-R"'s behavior could possibly be modified to meet the needs of the OP. (Either that, or a new option could be added, but since "-R" is not used in that case anyway, I thought it could be, which would avoid having to add another option.)