This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there any way to filter or capture packet using display filter in C language?

0

Winpcap(https://www.winpcap.org/) provides lots of functions, such as pcap_setfilter/pcap_compile...,so we can write a software using C language, which can capture packets from interface card or filter packet from files using capture filter.

But some times I want to capture or filter using display filter in my software. How can I do this? Does wireshark provides C language functions similar to pcap_setfilter/pcap_compile/pcap_open...?

Thanks a lot

If analyse few files manualy, tshark is ok. But I want to analyse a lot of files automaticlly

For example, if I want to filter thousands of files, how can I count the matched packets number in each file? how can I write matched packets to one file or few files?

Can tshark command line help me to do? Thank you

asked 12 Nov '16, 00:15

w44524's gravatar image

w44524
11226
accept rate: 0%

edited 13 Nov '16, 21:50


One Answer:

1

Display filtering is done by the Wireshark engine in libwireshark but this is NOT built to be used as an external library by other applications, although a few have managed to do so.

You might be better off using the command line application tshark to filter for you.

answered 12 Nov '16, 03:05

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Following up your supplemental question, you'll need to supply a display filter in the call to tshark and then parse the output.

There is a tshark man page that list all the tshark options, you might be interested in the -z <statistics> part.

(14 Nov '16, 02:25) grahamb ♦