I want to more effectively manage Filters defined within Profiles. By that, I mean that each of my Profiles tends to contain the same basic set of Filters, plus a bunch which are unique to that Profile, and that I occasionally want to update that common set. Specifically, %APPDATA%\Wireshark\profiles{name of profile}\preferences contains a section which looks like this: # Filter Expressionsgui.filter_expressions.label: Me gui.filter_expressions.enabled: TRUE gui.filter_expressions.expr: eth.addr==80:EE:73:43:D6:9C gui.filter_expressions.label: Not Broadcast gui.filter_expressions.enabled: TRUE gui.filter_expressions.expr: not eth.ig==1 gui.filter_expressions.label: Not-Junk gui.filter_expressions.enabled: TRUE gui.filter_expressions.expr: not (browser or db-lsp-disc or ipv6 or ip.dst==224.0.0.0/8 or hsrp or ipx or nbns or rtmp or stp) gui.filter_expressions.label: TAF gui.filter_expressions.enabled: TRUE gui.filter_expressions.expr: (tcp.analysis.flags and not tcp.analysis.window_update) or tcp.flags.reset==1 gui.filter_expressions.label: TCP Reset gui.filter_expressions.enabled: TRUE gui.filter_expressions.expr: tcp.flags.reset==1 When I copy my Profile collection to a new machine (which happens more frequently than I'm enjoying), I manually edit each preferences file and change '80:EE:73:43:D6:9C' to the MAC address of my new workstation. Tedious. In a perfect world, I would paste this block of 'common' filters into %APPDATA%\Roaming\Wireshark\preferences or perhaps preferences_common; then, they would magically appear in every single Profile ... and life would be good. But, we don't yet have a concept of a 'common' preferences file, per https://www.wireshark.org/lists/wireshark-users/201306/msg00041.html [The approach I'm imagining would also make it easy to add a new filter to every single Profile ... or to update the 'Not Junk' filter, the elements of which are gradually increasing as I encounter more and more 'junk' in my environments ... both currently manual / tedious tasks.] So I'm headed toward writing a Windows .bat file and a *nix bash script to at least automate replacing '80:EE:73:43:D6:9C' with the MAC address of my new workstation. A little directory traversal, a sed one-liner, not too difficult. But before I walk this path, I want to float this problem here, figuring that other folks face it too. Has anyone tumbled to a more clever solution than the one I'm envisioning? --sk asked 08 Jan '15, 06:42  skendric |
One Answer:
Instead of rewriting your MAC address, you could use the following, common filter, to remove ethernet broadcasts
This will however only filter broadcast MAC addresses, not multicast MAC addresses, but maybe that's O.K. for your environment. Unfortunately the following filter does not work to remove the most common multicast MAC addresses.
Whereas the following filter returns the correct frames!?!
However not this filter!
So, either the "matches" operator is either buggy when applied to eth.addr fields, or it works differently than I would have expected. Regards answered 10 Jan '15, 05:51  Kurt Knochner ♦ |
