This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capturing filters from file

0

hi, first of all sorry for my (really) bad english. i was loocking for a way to pass same capturing filters to tshark from a file. i know there is a capturing filters file in $HOME/.config/wireshark/$PROFILE/cfilters, but when i run: (Prova is my PROFILE) tshark -C Prova -c 50 -I -i wlp0s4f1u1 > out.pcap i capture broadcast packets even if i defined a filter to NOT capturing broadcast stuff.

asked 13 Apr '16, 07:14

alexamico's gravatar image

alexamico
613
accept rate: 0%

2 Answers:

1

You have to add a name to the capture filter you wish to use and then supply the name to the -f option prefixed with "predef:", e.g. tshark -C Prova -f "predef:MyFilterName" ....

See Bug 8091 and Change 5925 for more information.

Note this is only available in development builds, i.e. version >= 2.1.x.

answered 13 Apr '16, 08:02

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

edited 13 Apr '16, 10:05

so, if i want to run all and only the filters in $HOME/.config/wireshark/$PROFILE/cfilters i MUST write some sort of script?! there isn't a method to tell tshark to run all and only those filters?

(13 Apr '16, 08:28) alexamico

Nope, you can only pass one filter into tshark (and Wireshark for that matter). You can combine multiple filter expressions into a single filter using logical operators, probably with and or && for your use case.

You could write a script to read all the filter expressions in cfilters and combine them programmatically and then call tshark.

(13 Apr '16, 08:36) grahamb ♦

0

The cfilters file is merely a collection of saved capture filters, but none of those filters are applied automatically. You must explicitly specify the capture filter to use on the tshark command-line.

That said, if you know the order of the saved capture filters in the cfilters file, you can grab the matching line number of the filter you want using something like follows, and here I'm assuming that the filter you want is the 9th entry in the file:

tshark -C Prova -c 50 -I -i wlp0s4f1u1 -f "`head -9 cfilters | tail -1 | cut -d '\"' -f 3-`" > out.pcap

Here's what it does:

  • head -9 cfilters: This displays the 1st 9 lines of the file.
  • tail -1: This grabs the last line of the previous 9, thus isolating the line containing the desired capture filter.
  • cut -d '\"' -f 3-: This discards the name of the filter you gave it, leaving only the capture filter itself. Note: There remains a space that precedes the filter, but this is harmless.

Another solution, and probably a nicer one, would be to just grep the cfilters file for the unique name of the capture filter you gave it. For example, suppose you have a capture filter named, "FOO", you could do this:

tshark -C Prova -c 50 -I -i wlp0s4f1u1 -f "`grep -m 1 FOO cfilters | cut -d '\"' -f 3-`" > out.pcap

Passing the -m 1 option to grep ensures that only the 1st filter that matches is returned in the event that there's more than one that contains the same search string.

With this method, you don't need to know the order of the capture filters in the file, but you do need to know the name of the filter, and you should probably make sure they're all unique; otherwise the search might return an unintended match. If you want more than 1 filter, you can combine them. For example, suppose you want to apply a combined capture filter which comprises the individual capture filters you named "FOO" and "BAR":

tshark -C Prova -c 50 -I -i wlp0s4f1u1 -f "`grep -m 1 FOO cfilters | cut -d '\"' -f 3-` or `grep -m 1 BAR cfilters | cut -d '\"' -f 3-`" > out.pcap

EDIT: The solution that grahamb supplied would be preferred, if available, and if you only wanted to apply a single capture filter. The solution I provided could be useful if capture filter labels are not available though or if you wanted to apply more than 1 capture filter. As grahamb mentioned, if you want to apply all filters from the cfilters file, then it probably makes more sense to script something, likely using some of the ideas presented here.

EDIT2: Perhaps a script such as follows is more along the lines of what you're looking for?

#!/bin/sh

input=cfilters
cfs=
while read line
do
cf=$(echo "$line" | cut -d """ -f 3-)
if [ ! -z "$cf" ]; then
if [ ! -z "$cfs" ]; then
cfs="($cfs) or ($cf)"
else
cfs="$cf"
fi
fi
done < "$input"


tshark -C Prova -c 50 -I -i wlp0s4f1u1 -f "$cfs" > out.pcap

answered 13 Apr ‘16, 09:40

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 13 Apr ‘16, 10:37