Wireshark-dev: Re: [Wireshark-dev] Add restrictions to arguments of dumpcap

From: Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Wed, 6 May 2009 23:59:52 -0400

On May 6, 2009, at 3:40 PM, Aaron Turner wrote:

Personally I think different filters for different interfaces doesn't
make a lot of sense.  I really can't imagine a situation when you'd
need to capture different kinds of packets on different interfaces but
write to a single file.

For SCTP I might want to capture on two different interfaces
traffic belonging to the same transport connection. I might want
to filter on different destination addresses:
dumpcap -n -i en0 -f sctp && host a.b.c.d -i en1 -f sctp && host e.f.g.h

At least, I think it's fair to say that single filter w/ multiple
interfaces is a more common case then multiple filters & multiple
interfaces.  Ideally the more common case shouldn't require you to
specify the same filter twice.

But I need a way to distinguish whether this filter applies for
all interfaces or only for one...

So we could do
dumpcap -f sctp -n -i en0 -i en1
(filter before interface) to mean setting for all interfaces
and
dumpcap -n -i en0 -f sctp -i en1
(filter after interface) that sctp is used only for en0 and en1
has no capture filter.

What do you think about this?

-- Aaron Turner

http://synfin.net/

http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows Those who would give up essential Liberty, to purchase a little temporary

Safety, deserve neither Liberty nor Safety.
   -- Benjamin Franklin
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe