This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why multiple capture filter options don’t work when used in startup with Wireshark arguments ?

0

I have the wireshark Version 1.10.8 (v1.10.8-2-g52a5244 from master-1.10) running on a server. I have set the following arguments in the Wireshark shortcut link

"C:\Program Files\Wireshark\Wireshark.exe" -i 6 -i 5 -f "port 2152" -k"

I have no problem with this. When opening the shortcut, Wireshark starts automatically and captures on interface # 5, 6 and only packets with port 2152.

But when I combine multiple ports in the capture filter arguments of Wireshark, this doesn't work.

"C:\Program Files\Wireshark\Wireshark.exe" -i 6 -i 5 -f "port 2152 or port 2153" -k"

When opening this shortcut, Wireshark starts automatically and captures ALL the packets on interface # 5, 6 and deosn't apply the capture filter. I stop the capture and go to the capture options and I see the capture options field with the filter I had in it. When I restart the capture now, the capture filter is applied. This behavior is the same with all possible combinations of filters. When having tow or more filters, I will always have to stop the capture and then go to the capture options just so that Wireshark will take the filter.

Anybody seen this behavior ?

asked 10 Jul '14, 12:19

Prask's gravatar image

Prask
11112
accept rate: 0%

Additional Notes:


I tested these combinations in the start-up arguments:

1 Interface and 1 Capture Filter = Works

1 Interface and 2 Capture Filters = Works

1 Interface and >3 Capture Filters = Works

2 Interfaces and 1 Capture Filter = Works

2 Interfaces and >2 Capture Filters = FAIL

(10 Jul '14, 12:25) Prask

One Answer:

0

The order of the interfaces makes a difference on my system.

Does not work (meaning shows ALL traffic):

"C:\Program Files\Wireshark\Wireshark.exe" -i 6 -i 5 -f "port 2152 or port 2153" -k

Does work (meaning shows ONLY traffic on those ports):

"C:\Program Files\Wireshark\Wireshark.exe" -i 5 -i 6 -f "port 2152 or port 2153" -k

Looks like a bug to me. Please file a bug report at https://bugs.wireshark.org

Regards
Kurt

answered 10 Jul '14, 12:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Hi Kurt, I tried your method..Still same result for me. Will report the bug.

Thanks,

Pras

(10 Jul '14, 14:54) Prask