Winpcap(https://www.winpcap.org/) provides lots of functions, such as pcap_setfilter/pcap_compile...,so we can write a software using C language, which can capture packets from interface card or filter packet from files using capture filter. But some times I want to capture or filter using display filter in my software. How can I do this? Does wireshark provides C language functions similar to pcap_setfilter/pcap_compile/pcap_open...? Thanks a lot If analyse few files manualy, tshark is ok. But I want to analyse a lot of files automaticlly For example, if I want to filter thousands of files, how can I count the matched packets number in each file? how can I write matched packets to one file or few files? Can tshark command line help me to do? Thank you asked 12 Nov '16, 00:15  w44524 edited 13 Nov '16, 21:50 |
One Answer:
Display filtering is done by the Wireshark engine in libwireshark but this is NOT built to be used as an external library by other applications, although a few have managed to do so. You might be better off using the command line application tshark to filter for you. answered 12 Nov '16, 03:05  grahamb ♦ |
Following up your supplemental question, you'll need to supply a display filter in the call to tshark and then parse the output.
There is a tshark man page that list all the tshark options, you might be interested in the
-z <statistics>part.