Re: [Wireshark-users] how could you indicate at start up the IP addresses that wireshark would filter as destinations ...

Wed, 09 Jan 2019 22:03:33 -0800 

On Jan 9, 2019, at 9:29 PM, Albretch Mueller <lbrt...@gmail.com> wrote:

> in order for only that kind of traffic to be logged to a file?
> 
> You could indicate the interface to listen to with:
> 
> wireshark -i <interface>
> 
> but how do you also indicate that all traffic to certain IP addresses
> should be "followed" and streamed to a certain file on exit?

(Note: the traffic isn't sent to a capture file on exit; Wireshark doesn't 
capture packets and store them in memory, and only write them out to a file on 
a save, it writes packets to a file as they're captured - "saving" to a file 
could involve renaming the file, if it's a temporary file, or copying it to a 
new location.  And the save is just a sequence of writes - it's not "streamed" 
in any sense that you can follow the stream; you have to wait for Wireshark to 
finish writing it, and only read it when it's done, unless you don't mind 
running the risk of errors reading from a partially-written file.)

The way you set a capture filter from the command line is, to quote the man 
page:

       -f  <capture filter>
           Set the capture filter expression.  
       
           This option can occur multiple times.  If used before the first  
           occurrence of the -i option, it sets the default capture filter
           expression.  If used after an -i option, it sets the capture filter
           expression for the interface specified by the last -i option
           occurring before this option.  If the capture filter expression is
           not set specifically, the default capture filter expression is used
           if provided.
           
           Pre‐defined capture filter names, as shown in the GUI menu itemy,
           Capture->Capture Filters, can be used by prefixing the argument
           with "predef:".  Example: -f "predef:MyPredefinedHostOnlyFilter"

So you'd do something such as

        wireshark -i <interface> -f "host <IP address 1> or <IP address 2> or 
... or <IP address N>"

Note, by the way, that if you also pass the -k flag, Wireshark will start 
capturing as soon as it's finished initializing, so you don't have to click 
anything to start it.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-requ...@wireshark.org?subject=unsubscribe

Reply via email to