Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Add restrictions to arguments of dumpcap

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Aaron Turner <synfinatic@xxxxxxxxx>
Date: Wed, 6 May 2009 22:10:33 -0700
On Wed, May 6, 2009 at 8:59 PM, Michael Tüxen
<Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
> On May 6, 2009, at 3:40 PM, Aaron Turner wrote:
>
>> Personally I think different filters for different interfaces doesn't
>> make a lot of sense.  I really can't imagine a situation when you'd
>> need to capture different kinds of packets on different interfaces but
>> write to a single file.
> For SCTP I might want to capture on two different interfaces
> traffic belonging to the same transport connection. I might want
> to filter on different destination addresses:
> dumpcap -n -i en0 -f sctp && host a.b.c.d -i en1 -f sctp && host e.f.g.h

I'm not sctp knowledgeable, but is there a reason you couldn't just
write a single filter for both interfaces as:

sctp && (host a.b.c.d || host e.f.g.h)

>> At least, I think it's fair to say that single filter w/ multiple
>> interfaces is a more common case then multiple filters & multiple
>> interfaces.  Ideally the more common case shouldn't require you to
>> specify the same filter twice.
> But I need a way to distinguish whether this filter applies for
> all interfaces or only for one...

Fair enough, but it is my opinion that the vast majority of users
don't need this functionality.

> So we could do
> dumpcap -f sctp -n -i en0 -i en1
> (filter before interface) to mean setting for all interfaces
> and
> dumpcap -n -i en0 -f sctp -i en1
> (filter after interface) that sctp is used only for en0 and en1
> has no capture filter.
>
> What do you think about this?

I think this is confusing to many people and is more likely to have
unintended consequences.   Most users don't consider CLI option
ordering to have special meaning.  Personally, I prefer Stephen's
suggestion of directly linking the filter to the interface ala -i
en0:"sctp && host a.b.c.d" if you want to get fancy.

It also means the old style cli args could easliy be grand-fathered in
(any interface without a specific filter uses the global filter).

-- 
Aaron Turner
http://synfin.net/
http://tcpreplay.synfin.net/ - Pcap editing and replay tools for Unix & Windows
Those who would give up essential Liberty, to purchase a little temporary
Safety, deserve neither Liberty nor Safety.
    -- Benjamin Franklin
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube