Wireshark needs a command line argument to set the display filter
This issue was migrated from bug 2463 in our old bug tracker.
Original bug information:
Reporter: Vinay Chilakamarri
Status: RESOLVED FIXED
Product: Wireshark
Component: GTK+ UI
OS: All
Platform: All
Version: unspecified
Activity
Build Information: wireshark 1.0.0
Copyright 1998-2008 Gerald Combs <gerald@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GTK+ 2.12.8, with GLib 2.14.6, with WinPcap (version unknown), with libz 1.2.3, without POSIX capabilities, with libpcre 7.0, with SMI 0.4.5, with ADNS, with Lua 5.1, with GnuTLS 1.6.1, with Gcrypt 1.2.3, with MIT Kerberos, with PortAudio V19-devel, with AirPcap.
Running on Windows XP Service Pack 2, build 2600, with WinPcap version 4.0.2 (packet.dll version 4.0.0.1040), based on libpcap version 0.9.5, without AirPcap.
Built using Microsoft Visual C++ 6.0 build 8804
When a Display Filter expression is used along with "-R" argument with tshark, only those packets are displayed which match the expression specified after this argument. The same doesn't work for Wireshark: it displays all the captured packets regardless of the expression that was given.(This is when you want to start wireshark from commandline) Here is an example: wireshark -f "udp port 37112" -i2 -k -R"(wlan.addr==00:2E:E0:76:5D:83)"added enhancement uigtk labels
-
"-R" would be wrong; that would set a "read filter", meaning that, while initially reading packets, packets that don't match the filter would be discarded. This is an option to set the *display* filter; packets that don't match the display filter are still read in, they're just not displayed - but if you change the display filter, they might be displayed. -
(In reply to comment #2)
> but how to set a Display filter as the Default forever?I would like to set a protocol as a Default Filter forever instead of always writing the protocol name in the Filter combo box whenever i open Wireshark. I like to Hardcode so that it remains forvever as my setting. Kindly, Provide the solution.
Thanks, Regards, S.Prashanth.
-
(In reply to comment #2)
> but how to set a Display filter as the Default forever?Assuming a new command-line option is added, say something like "-d <filter>", then always start Wireshark with that option. Modify any shortcuts, etc. as needed so that option would always be passed to Wireshark whenever you launch it.
Now someone just has to be interested enough to actually implement it.
-
*** Bug #6372 (closed) has been marked as a duplicate of this bug. ***
-
(In reply to comment #4)
> Now someone just has to be interested enough to actually implement it.A small matter of programming, added in revision 39090.
It does not add a display filter "forever", but it does set and apply a display filter. I think this is the closest we will get for this request.
-
(In reply to comment #6) > A small matter of programming, added in revision 39090. > > It does not add a display filter "forever", but it does set and apply a display > filter. I think this is the closest we will get for this request. I agree. Thanks Stig; it works as advertised. Closing as fixed. -
One comment though, somewhat related to this new feature, regarding the file open dialog: Currently there is a field entitled, "Display filter", but should that be changed to "Read filter" since specifying the filter in that field is akin to "-R <read filter>", not "-d <display filter>"?
-
(In reply to comment #9)
> Thanks for the solution. Instead of Compiling and executing wireshark.exe with
> -d and protocol name everytime, I would like to make an executable along with
> the default display filter. Is this possible?Sure! Feel free to compile your own Wireshark for your own needs.
But I think the best solution for you would be to write a script to start "wireshark -d <filter>".
-
(In reply to comment #13)
> is trunk 39090 a stable version?No Dev (Trunk) release... available here http://www.wireshark.org/download/automated
-
(In reply to comment #14) > (In reply to comment #13) > > is trunk 39090 a stable version? > > No Dev (Trunk) release... available here > http://www.wireshark.org/download/automated In that case, Do I encounter any bugs If I take the files related to Default filter and patch up with wireshark 1.6.1 binaries? I want Default Filter to work for wireshark-1.6.1.exe executable. -
(In reply to comment #15)
> In that case, Do I encounter any bugs If I take the files related to Default
> filter and patch up with wireshark 1.6.1 binaries? I want Default Filter to
> work for wireshark-1.6.1.exe executable.New features do not get back-ported to stable releases. You can either download one of the automated installers with at least r39090 or later, manually back-port the feature yourself to 1.6.1, or wait for the next 1.7.0 development release. Either way, the new "-d <display filter>" feature has been added by Stig and so this bug is now closed.
-
(In reply to comment #16) > (In reply to comment #15) > > In that case, Do I encounter any bugs If I take the files related to Default > > filter and patch up with wireshark 1.6.1 binaries? I want Default Filter to > > work for wireshark-1.6.1.exe executable. > > New features do not get back-ported to stable releases. You can either > download one of the automated installers with at least r39090 or later, > manually back-port the feature yourself to 1.6.1, or wait for the next 1.7.0 > development release. Either way, the new "-d <display filter>" feature has > been added by Stig and so this bug is now closed. thanks i solved it. mentioned in issue #6372 (closed)