This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

decode as feature set up before start a cap

0

Hi all, is it possible to set up a capture filter in wireshark for the decode as feature just like tshark -d option i.e. -d udp.port==8000,rudp, before to start capture ?

This question is marked "community wiki".

asked 08 Apr '11, 06:59

flap78's gravatar image

flap78
1111
accept rate: 0%


2 Answers:

1

You could do that using lua

In your c:program filesWireshark directory find init.lua file.

Comment out disable_lua line and at the end of the file add dofile("decodes.lua"). Then create a file in the same directory called decodes.lua

Edit it to have contents like below

do
    local rudp_dissector=Dissector.get("rudp")
    local udp_table=DissectorTable.get("udp.port")
    udp_table:add(8000, rudp_dissector)
end

Now each time you start wireshark traffic on 8000 port will be decoded as rudp

Instead of having it as permanent solution you can use command line option -Xlua_script:./decodes.lua when starting wireshark.

answered 11 Apr '11, 09:01

izopizo's gravatar image

izopizo
2024714
accept rate: 0%

0

Currently this is not possible, but there has been interest in having this feature available. See bugs 2931 and 5143 in particular. Perhaps someone will implement this one day.

answered 11 Apr '11, 07:49

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%