This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

is it possible to combine several filter names in the filter input text ?

0

I think It would be very useful if you could use the name of the filter to create another filters. I'm not sure if you can do that. For instance you create the following filters: arp || smb <-- under the name of LAN rip || eigrp <--- under the name of WAN

so you could search for: LAN OR WAN

is there anything similar to this? thank you

asked 24 Nov '11, 09:21

BorjaMerino's gravatar image

BorjaMerino
21337
accept rate: 0%

2 Answers:

4

It's not the exact way you want to do it, but you might want to take a look at display filter macros in the Analyze -> Display Filter Macro menu option. You could add two new macros:

  1. Name = "wan" and Text = "rip or eigrp"
  2. Name = "lan" and Text = "arp or smb"

After that you can call the macros in the filter bar like this: ${wan} or ${lan}. I agree that it is a bit awkward to enter the additional dollar signs and the curly brakets, but it might be faster than typing the long filters if they're really complex.

answered 24 Nov '11, 15:34

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

1

You can also save your Display Filters.
Go to:
Analyze | Display filters... or hit Filter at the left side of the Filter Toolbar
Hit New
Filter name: wan
Filter string: rip or eigrip
Hit Apply
Repeat the steps to add the second filter.

Apply your display filters:
Open the Display Filter dialog box again.
Select your filter.
Hit OK to apply the filter.

Or you can edit the dfilters file:
C:Documents and SettingsUSERApplication DataWireshark
Add your filters to the file.
Make sure you end with an empty line, otherwise you won't see your filter.
"wan" rip or eigrp
"lan" arp or smb
"test" http or smb and ip.addr==192.168.19.10

answered 25 Nov '11, 13:56

joke's gravatar image

joke
1.3k4934
accept rate: 9%