Automatically stopping a live capture after specific packet content

[Dylan Ulis <daulis0 () gmail com>]

All,

I talked to Roland, Peter and Graham at SF about this, but I didn't get the
answer I wanted, so I figured I'd give it a try to implement:)

I'd like to automatically stop a live capture after some specific thing is
seen in a packet - using either a BPF style filter or a display filter. I
think display filters are a little easier for users, since many users are
more familiar with them. Dumpcap.bat (https://wiki.wireshark.org/Tools) has
similar functionality (using BPF filters), but it's specific to Windows,
and I'd like to have something built into Wireshark to make it easy.

It's a useful feature because:
1. It's often easier when the symptom of a problem is the last packet in a
capture, and you can scroll up in the trace to see what caused it.
2. For ring buffers, sometimes the data is lost after letting a capture run
for long periods of time. Very long running captures are common where I
work for many test scenarios.

My idea:
1. GUI: Capture -> Options -> Options. Under "Stop capture automatically
after", add a new option for X "matches of current display filter" or
"number of displayed packets".  Where X is an integer (like the other
options).
2. file.c: When capture_file.displayed_count >= X, Stop the live capture.

Questions:
1. How can I signal from file.c into wherever in the GUI can stop the
capture?
2. Anything that you think will cause me problems with this approach?

I'm willing to give this a try, even if you don't like the idea right now.
I think it would help to see a prototype in Gerrit after I work through it.

Thanks,
Dylan

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe