All,
I'm attempting to specify a Display filter on the wireshark command line
like so:
wireshark -i ath0 -s 2400 -k -l -b duration:3600 -w /tmp/live.pcap \
-R "!(wlan.addr == ${ADDR})"
ath0 is in monitor mode with radiotap headers, and ath1 is associated.
Both belong to wifi0. $ADDR is the mac address of ath1. (I want to see
what's out there that isn't me).
I know '-R' is intended for reading from files, but it would be helpful
to me, since I'm auto-starting the live capture ('-k'), to have the
argument to '-R' used as the display filter.
The attached patch is a pathetic first attempt to accomplish this. It
does _not_ work. I know it's parsing the filter because if I specify an
invalid filter, I get a dialog box complaining about it. But it doesn't
add the filter (a valid one) to the Diplay filter, and it does not filter.
What do I have to do to make this work? any thoughts? If I get it
working, I can make it a separate cli option, if desired. I'd just like
to see it work. :-)
The long term goal would be to have the '-w' file automagically save
only displayed packets...
thx,
Jason.
PS - I haven't cleaned this up for whitespace or anything yet since it's
not ready for submission.
diff -Nurd wireshark-1.0.0pre1.orig/gtk/main.c wireshark-1.0.0pre1/gtk/main.c
--- wireshark-1.0.0pre1.orig/gtk/main.c 2008-03-17 23:30:46.000000000 -0400
+++ wireshark-1.0.0pre1/gtk/main.c 2008-03-22 14:12:53.000000000 -0400
@@ -3159,19 +3159,34 @@
}
/* "-k" was specified; start a capture. */
show_main_window(TRUE);
- if (capture_start(capture_opts)) {
- /* The capture started. Open stat windows; we do so after creating
- the main window, to avoid GTK warnings, and after successfully
- opening the capture file, so we know we have something to compute
- stats on, and after registering all dissectors, so that MATE will
- have registered its field array and we can have a tap filter with
+ if (rfilter != NULL) {
+ if (!dfilter_compile(rfilter, &rfcode)) {
+ bad_dfilter_alert_box(rfilter);
+ rfilter_parse_failed = TRUE;
+ }
+ }
+
+ if (!rfilter_parse_failed) {
+ if (capture_start(capture_opts)) {
+ cfile.rfcode = rfcode;
+ /* The capture started. Open stat windows; we do so after creating
+ the main window, to avoid GTK warnings, and after successfully
+ opening the capture file, so we know we have something to compute
+ stats on, and after registering all dissectors, so that MATE will
+ have registered its field array and we can have a tap filter with
one of MATE's late-registered fields as part of the filter. */
- start_requested_stats();
+ start_requested_stats();
+ }
+ } else {
+ if (rfcode != NULL)
+ dfilter_free(rfcode);
+ cfile.rfcode = NULL;
+ show_main_window(FALSE);
+ set_menus_for_capture_in_progress(FALSE);
}
- }
- else {
- show_main_window(FALSE);
- set_menus_for_capture_in_progress(FALSE);
+ } else {
+ show_main_window(FALSE);
+ set_menus_for_capture_in_progress(FALSE);
}
/* if the user didn't supplied a capture filter, use the one to filter out remote connections like SSH */
