Hey, im having issues to start wireshark with the filter i need. I can auto start capturing from the Interface i need. using the -i # and -k but i cant set the followint filter to be started aswell currently: expert.message contains "GET /bahamut_n/top/" only that filter has the info that im always looking for - so all the other info that goes back and forth with the server is useless for me so id rather only see that info - not the whole IP stuff. Any help is highly appreciated. Ryuu asked 29 Jun '13, 05:39 Ryuuske01 |
One Answer:
The filter you mention is a display filter, so even if you apply that at start of Wireshark you will still capture everything else. To exclude frames on capture you need to create a capture filter, and that will be quite complicated in your case (if possible at all), because it will probably have to filter on specific offsets to look for that message). You should familiarize yourself with the difference between capture and display filters and how to create capture filters. There are some examples on this Wiki page that might help you: http://wiki.wireshark.org/CaptureFilters answered 29 Jun '13, 07:05 Jasper ♦♦ edited 29 Jun '13, 07:07 |
Yes i know :)
the thing is i dont really need the capture filter - it can capture all data while i work with that display filter. since i really need it just for 1-2 minutes and then i reset wireshark anyway to get the new info in the same display filter.
is it possible to set the display filter to also auto-start?
Yes. Try
Wireshark -Y "Display Filter"
You can find all parameters Wireshark accepts by starting it from the command line with the -h parameter.