Wireshark mailing list archives
Re: Need filters
From: János Löbb <janos.lobb () yale edu>
Date: Thu, 24 Jun 2010 10:14:10 -0400
On Jun 23, 2010, at 7:30 PM, Guy Harris wrote:
On Jun 23, 2010, at 3:59 PM, David H. Lipman wrote:"not udp port 137" and any other additions. If there are many, command line options are untenable. Loading and parsing an ASCII file would be the way to go.One limit on the number of command-line filtering when capturing is that there are limits on the power of the filter expressions. However, you might end up putting in a lot of filters to filter out particular hosts, for example. If the command line is *itself* read from an ASCII file, then, obviously, command-line options do involve loading an ASCII file. If somebody is typing that command at a command line, then: 1) at least on UN*X command lines, you can say tshark -f `cat {filter}` where {filter} is the name of a file containing the filter, although that is limited by the number of bytes of command-line argument that the UN*X in question supports; 2) if you use tcpdump or WinDump rather than TShark or dumpcap to capture the traffic, it has a -F flag that takes, as an argument, the name of a file containing the filter expression (tcpdump/WinDump, TShark, and dumpcap all use libpcap/WinPcap to do traffic capture, so they all have the same capture filter syntax). ___________________________________________________________________________
If you are eating up argument space, you might want to consider xargs. I awk a directory containing sysmon logs and at about 5000 files awk complained about having not enough argument space. I googled and find this kind of solution to it: find /Volumes/Data/PROJECTS/Sysmon/sysmon_logs -type f | xargs /usr/bin/awk -f /Volumes/Data/PROJECTS/Sysmon/sysmon_prgs/workerprocess.awk > /Volumes/Data/PROJECTS/Sysmon/outs/workerprocess.out You can taylor it to your tshark experiment. János ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Re: Need filters, (continued)
- Re: Need filters David H. Lipman (Jun 27)
- Which is the stable version for wireshark ? Reddy Nagendra-GKTC37 (Jun 27)
- Re: Which is the stable version for wireshark ? Jaap Keuter (Jun 27)
- Re: Which is the stable version for wireshark ? Reddy Nagendra-GKTC37 (Jun 27)
- Re: Need filters David H. Lipman (Jun 23)
- Re: Need filters Jaap Keuter (Jun 23)
- Re: Need filters David H. Lipman (Jun 23)
- Re: Need filters Guy Harris (Jun 23)
- Re: Need filters David H. Lipman (Jun 23)
- Re: Need filters Guy Harris (Jun 23)
- Re: Need filters János Löbb (Jun 24)
- Re: Need filters Guy Harris (Jun 24)
- Re: Need filters David H. Lipman (Jun 24)