Wireshark mailing list archives
Re: how could you indicate at start up the IP addresses that wireshark would filter as destinations ...
From: Guy Harris <guy () alum mit edu>
Date: Wed, 9 Jan 2019 22:01:40 -0800
On Jan 9, 2019, at 9:29 PM, Albretch Mueller <lbrtchx () gmail com> wrote:
in order for only that kind of traffic to be logged to a file? You could indicate the interface to listen to with: wireshark -i <interface> but how do you also indicate that all traffic to certain IP addresses should be "followed" and streamed to a certain file on exit?
(Note: the traffic isn't sent to a capture file on exit; Wireshark doesn't capture packets and store them in memory, and only write them out to a file on a save, it writes packets to a file as they're captured - "saving" to a file could involve renaming the file, if it's a temporary file, or copying it to a new location. And the save is just a sequence of writes - it's not "streamed" in any sense that you can follow the stream; you have to wait for Wireshark to finish writing it, and only read it when it's done, unless you don't mind running the risk of errors reading from a partially-written file.) The way you set a capture filter from the command line is, to quote the man page: -f <capture filter> Set the capture filter expression. This option can occur multiple times. If used before the first occurrence of the -i option, it sets the default capture filter expression. If used after an -i option, it sets the capture filter expression for the interface specified by the last -i option occurring before this option. If the capture filter expression is not set specifically, the default capture filter expression is used if provided. Pre‐defined capture filter names, as shown in the GUI menu itemy, Capture->Capture Filters, can be used by prefixing the argument with "predef:". Example: -f "predef:MyPredefinedHostOnlyFilter" So you'd do something such as wireshark -i <interface> -f "host <IP address 1> or <IP address 2> or ... or <IP address N>" Note, by the way, that if you also pass the -k flag, Wireshark will start capturing as soon as it's finished initializing, so you don't have to click anything to start it. ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-users Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- how could you indicate at start up the IP addresses that wireshark would filter as destinations ... Albretch Mueller (Jan 09)
- Re: how could you indicate at start up the IP addresses that wireshark would filter as destinations ... Guy Harris (Jan 09)
- <Possible follow-ups>
- Re: how could you indicate at start up the IP addresses that wireshark would filter as destinations ... Albretch Mueller (Jan 10)