Thanks for the trigcap pointer. I think it will be more useful to incorporate the trigcap features into dumpcap, tshark and wireshark. The implementation, of course, will be in dumpcap with the latter two simply spawning dumpcap with the appropriate options.
I'll go ahead and implement the features in dumpcap first. The tshark and wireshark changes can come later.
To summarize, make these changes to dumpcap:
- Add "-a filter:<filter>" auto-stop option.
- Add option to specify filter to trigger capture start.
Hari
From: Stephen
Fisher <steve@xxxxxxxxxxxxxxxxxx>
To: T. Hariharan <harixxxx@xxxxxxxxx>
Sent: Wednesday, August 19, 2009 5:56:44 PM
Subject: Re: [Wireshark-dev] New feature
On Aug 19, 2009, at 12:14 AM, T. Hariharan wrote:
> Add an option to stop the capture when the given filter is matched.
Wireshark doesn't have such a feature. However, one of the developers wrote a program that isn't compiled by default in the root wireshark directory called trigcap.c for "a simple triggered libpcap-based capture agent". You may want to take a look at this to get ideas on how to implement the new feature.
Steve
