This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, In our environment, we are processing pcapng files with a proprietary protocol that are captured/created by another device and we want to analyze these files using Wireshark. The capture files may have packets captured from multiple interfaces and we would like the ability to filter the packet display by interface. I have written a protocol dissector (similar to the plugins/gryphon dissector) and would like to automatically generate the filters during packet dissection, if possible. I could add the filters manually, but the number of interfaces vary depending on the device that generated the pcap file and it requires checking the capture file properties to know what interfaces are present. Is there any way to create and add display filters from within a protocol descriptor? Another alternative would be to do this when the file is opened, but it's not clear to me where the best place to do this is.

As a secondary question, it would also be nice to display the filtered packets for each interface in another tab or window. From what I've read, the only way to do this is to open a second instance of Wireshark. Does anyone know of an alternate way to accomplish this?

Thank you.

-Ron

asked 15 Sep '16, 09:09

RonW's gravatar image

RonW
6112
accept rate: 0%

What do you mean by "the filters"? To which filters are you referring?

(15 Sep '16, 18:30) Guy Harris ♦♦

I'm only referring to display filters. Our capture files are created external to Wireshark so capture filters are not really of much use in this scenario. And a further clarification...when I referred to manually adding the filters, I was talking about adding them through the GUI menu "Analyze->Display Filters", which is what I'm trying to avoid requiring the user to do. Thanks again.

(15 Sep '16, 18:51) RonW

Unfortunately, there are no APIs in Wireshark to allow any code to add to that list of filters; the list that comes with Wireshark is just a text file that's part of the Wireshark source repository, it's not generated by code.

You could request such an API by filing an enhancement request on the Wireshark Bugzilla.

As for the secondary question, that should be asked separately; this is a Q&A site, not a forum, so there should only be one question per question.

permanent link

answered 15 Sep '16, 18:56

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×165

question asked: 15 Sep '16, 09:09

question was seen: 1,219 times

last updated: 23 Sep '16, 01:46

p​o​w​e​r​e​d by O​S​Q​A