This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
3
1

As a user that uses Wireshark a lot for debugging, I was wondering if the capability to use a filter as a criteria to stop a capture is ever going to be implemented (just like there is a stop condition after a configurable amount of packets/bytes/seconds). I saw the bug 3967 enhancement recommendation, but I don't see a planned version for implementing this.

This can be very helpful.

asked 13 Sep '10, 05:41

yarozen's gravatar image

yarozen
46123
accept rate: 0%

edited 02 Sep '12, 16:45

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142

Are you referring to Display filters or Capture filters?

(13 Sep '10, 08:04) Jaap ♦
1

display filter, i want to capture all traffic not only the type of traffic which will cause the sniffer to stop.

(13 Sep '10, 08:55) yarozen

I've updated the tag & subject accordingly.

(14 Sep '10, 10:09) Gerald Combs ♦♦
1

Love the idea - triggered stops. For example, capture file sets with a ring buffer and stop capturing when a condition is met - now could one of those conditions be a lack of traffic from a host? For example, when no packets are seen from the server within a 10 second time period?

(14 Sep '10, 12:04) lchappell ♦

That would require: 1. Adding stop condition filtering in Wireshark (stops are now handled in dumpcap, which will never get filter capabilities). 2. Adding guarding timers, to trigger on absence of filter hits.

(14 Sep '10, 13:28) Jaap ♦

I can give you real life example where this kind of a feature would have helped me a lot: We got a system that handles dozens of Mb/sec of traffic. when something goes wrong (like the application crash) an SNMP trap is sent. I would like to run a cyclic ring buffer of let's say 20 files of 20 MB each and use SNMP (or UDP 162) as a trigger to stop capturing. this way I will be able to see the traffic passed through the system in the last seconds before the application crashed, and might find out the reason for the crash (e.g. specific HTTP request the caused parsing error in our application).

(14 Sep '10, 22:46) yarozen

"Capture filter" and "display filter" have multiple meanings - they can either refer to the effect the filter has or to the filter's syntax. For example, the "Find Next"/"Find Previous" operations use an expression that has display filter syntax, but they don't actually filter what's displayed.

When Jaap asked "Are you referring to Display filters or Capture filters?", he was referring to the syntax -a stop condition can have capture filter syntax without causing only packets that match the stop condition to be captured (i.e., that doesn't mean it'll act as a capture filter).

(15 Sep '10, 17:30) Guy Harris ♦♦

Thanks for the clarification Guy. Either way I prefer Display filters over Capture filters as they are more flexible and let you use layer7 values (e.g. HTTP specific header or a specific OID in SNMP). Can anybody say if there is any plan to add such functionality and if so, when/which Wireshark version? Thanks

(15 Sep '10, 23:51) yarozen

Please comment/vote if you think that such a feature will be helpful. As a heavy Wireshark user I always wanted this feature.

(26 Sep '10, 01:23) yarozen

So do I! Would be great to be able to a capture when a certain condition occurs...

(03 Jun '13, 00:43) Marc
showing 5 of 10 show 5 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×165
×9
×3

question asked: 13 Sep '10, 05:41

question was seen: 3,834 times

last updated: 03 Jun '13, 00:43

p​o​w​e​r​e​d by O​S​Q​A