This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Set a Protocol as a Default Filter

1
1

Hello All,

I would like to set a protocol as a default display filter forever instead of always writing the protocol name in the Filter combo box whenever I open Wireshark. I'd like to hard-code it so that it remains forvever as my setting. Kindly, Provide the solution.

Thanks, Regards, S.Prashanth.

This question is marked "community wiki".

asked 20 Sep '11, 19:43

Terrestrial%20shark's gravatar image

Terrestrial ...
96212829
accept rate: 42%

edited 27 Sep '11, 06:47

helloworld's gravatar image

helloworld
3.1k42041

3 Answers:

1

Thanks all. I have resolved it by backporting the -d parameter, which initializes the display filter, from Wireshark 1.7.0 to 1.6.1. I also made the display-filter initialization "permanent", such that it always initializes to a specific value. I just changed main.c.

gchar *dfilter="http";

if (dfilter) {
GtkWidget *filter_te;


filter_te = gtk_bin_get_child(GTK_BIN(g_object_get_data(G_OBJECT(top_level), E_DFILTER_CM_KEY)));
gtk_entry_set_text(GTK_ENTRY(filter_te), dfilter);


/* Run the display filter so it goes in effect. */
main_filter_packets(&cfile, dfilter, FALSE);



}
This answer is marked “community wiki”.

answered 28 Sep ‘11, 00:00

Terrestrial%20shark's gravatar image

Terrestrial …
96212829
accept rate: 42%

edited 28 Sep ‘11, 05:24

helloworld's gravatar image

helloworld
3.1k42041

3

Find the place where lua scripts should go and create the following 3 files. init.lua must have the same name. Others can be renamed. Last file is where you can customize your default filter.

init.lua:
-----------------------------------
do
-- load default filter script
dofile("lua_scripts/default_filter.lua");
end
-----------------------------------

lua_scripts/default_filter.lua:


– load default filter settings
dofile("conditions/initfilter.lua");


do


-- set default filter
local function init_defaultFilter()
    local tap = Listener.new("frame","tcp")
    local initialized = false;

    function tap.reset()
        --set the filter only once
        if( not initialized )
        then
           defaultFilter = defaultFilter or "";
           set_filter(defaultFilter);
           apply_filter();
           initialized = true;
        end
    end

    -- this function will be called for every packet
    function tap.packet(pinfo,tvb,tapdata)
    end
end

-- apply default filter
init_defaultFilter();



end


conditions/initfilter.lua: (my example:)


defaultFilter = "sip or http"
———————————–

answered 26 Sep ‘11, 05:55

Hiftu's gravatar image

Hiftu
442
accept rate: 0%

There’s a few problems with this solution:

1) In this case, you don’t need init.lua (or even three files…a single file suffices, but “to each his own”).

2) All Lua scripts are loaded automatically if they’re in any of the plugins directories (or their subdirectories). So, your use of dofile(‘xyz’) while the ‘xyz’ file is under plugins causes the file to be loaded twice. In your example, this creates two taps that do the same thing. Harmless here, but the bug makes this a bad example.

(26 Sep ‘11, 19:14) helloworld

Sorry, I am a linux user. I had to add init.lua in my system. I like splitting the config and the script so it is easy to modify even with little knowledge in lua scripting.

(27 Sep ‘11, 00:41) Hiftu

Sorry, I am a linux user. I had to add init.lua in my system.

This isn’t required in Ubuntu 11.04. Which flavor (and specific version) of Linux are you running?

(27 Sep ‘11, 06:43) helloworld

I like splitting the config and the script so it is easy to modify even with little knowledge in lua scripting.

When the config and script are so short (as in this case), there’s little advantage in splitting the files. Even if you wanted to organize your files this way, you should rename the config file extension to something other than .lua in order to prevent Wireshark Lua from auto-loading it in addition to your explicit dofile(). Another way to prevent the auto-load is to move the file outside of the plugins directories.

(27 Sep ‘11, 06:43) helloworld

Oh, I currently use the ~/.wireshark directory. Where is the plugin directory? (I work in enterprise environment , and I haven’t got root access. BTW it is SLED10.)

(27 Sep ‘11, 07:25) Hiftu

The plugins directories are listed in the manual (Table A.1 Configuration files and folders). Your personal plugins (Lua in this case) would be in ~/.wireshark/plugins (you might need to create the subdirectory).

(27 Sep ‘11, 20:51) helloworld
showing 5 of 6 show 1 more comments

2

Wireshark doesn't have a way to set a default display filter.

I suggest filing an enhancement request (or providing a patch to implement this functionality) at bugs.wireshark.org .

Note that although there is a -R <filter> option when starting Wireshark which will apply the filter when an input file specified with -r is read, this does not set the filter as a default display filter.

answered 20 Sep '11, 20:33

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 20 Sep '11, 20:34

1

I think bug 2463 already covers this.

(21 Sep '11, 05:49) cmaynard ♦♦
1

An update: Thanks to Stig, as of r39090, which closes bug 2463, Wireshark now takes a -d <display_filter> command-line option to set the active display filter when Wireshark starts. Until 1.7.0 is released, you can download and try any automated installer that is version 39090 or later.

(26 Sep '11, 18:24) cmaynard ♦♦