Hi If my understanding is correct, capture filters are designed to discard packets before any processing takes place. Is there a way to discard packets after decryption? That is to allow Wireshark to decrypt using the information provided and then discard the unwanted packets so that they don't take up memory. If not the GUI, could tshark handle it something similar? Thanks asked 12 Aug '15, 08:35  mun |
One Answer:
That is called the Read Filter. Open up the Open Capture File dialog and notice the filter at the southwest side of the dialog. It's a display filter format entry field which is used to filter packets when being loaded. The same can be achieved using -R on the command line for both Wireshark or Tshark. (Note: you'll have to save the capture file first, then read it again, but this is as closed as it gets AFAIK). answered 12 Aug '15, 09:01  Jaap ♦ edited 12 Aug '15, 09:03 |
I see what you mean. But I was hoping for a 'post-capture' filter to be applied during capturing so that packets are discarded after processing during capturing. Is there something similar?