Wireshark · Wireshark-dev: [Wireshark-dev] Specify Display filter for auto-start live cap on command line

[Jason <wireshark@xxxxxxxxxxxxxx>]

All,

I'm attempting to specify a Display filter on the wireshark command line 
like so:

wireshark -i ath0 -s 2400 -k -l -b duration:3600 -w /tmp/live.pcap \
	-R "!(wlan.addr == ${ADDR})"

ath0 is in monitor mode with radiotap headers, and ath1 is associated. 
Both belong to wifi0. $ADDR is the mac address of ath1. (I want to see 
what's out there that isn't me).

I know '-R' is intended for reading from files, but it would be helpful 
to me, since I'm auto-starting the live capture ('-k'), to have the 
argument to '-R' used as the display filter.

The attached patch is a pathetic first attempt to accomplish this.  It 
does _not_ work.  I know it's parsing the filter because if I specify an 
invalid filter, I get a dialog box complaining about it.  But it doesn't 
add the filter (a valid one) to the Diplay filter, and it does not filter.

What do I have to do to make this work?  any thoughts?  If I get it 
working, I can make it a separate cli option, if desired.  I'd just like 
to see it work. :-)

The long term goal would be to have the '-w' file automagically save 
only displayed packets...

thx,

Jason.

PS - I haven't cleaned this up for whitespace or anything yet since it's 
not ready for submission.

diff -Nurd wireshark-1.0.0pre1.orig/gtk/main.c wireshark-1.0.0pre1/gtk/main.c
--- wireshark-1.0.0pre1.orig/gtk/main.c	2008-03-17 23:30:46.000000000 -0400
+++ wireshark-1.0.0pre1/gtk/main.c	2008-03-22 14:12:53.000000000 -0400
@@ -3159,19 +3159,34 @@
       }
       /* "-k" was specified; start a capture. */
       show_main_window(TRUE);
-      if (capture_start(capture_opts)) {
-        /* The capture started.  Open stat windows; we do so after creating
-	   the main window, to avoid GTK warnings, and after successfully
-	   opening the capture file, so we know we have something to compute
-	   stats on, and after registering all dissectors, so that MATE will
-	   have registered its field array and we can have a tap filter with
+      if (rfilter != NULL) {
+        if (!dfilter_compile(rfilter, &rfcode)) {
+          bad_dfilter_alert_box(rfilter);
+          rfilter_parse_failed = TRUE;
+        }
+      }
+
+      if (!rfilter_parse_failed) {
+        if (capture_start(capture_opts)) {
+          cfile.rfcode = rfcode;
+          /* The capture started.  Open stat windows; we do so after creating
+	     the main window, to avoid GTK warnings, and after successfully
+	     opening the capture file, so we know we have something to compute
+	     stats on, and after registering all dissectors, so that MATE will
+	     have registered its field array and we can have a tap filter with
            one of MATE's late-registered fields as part of the filter. */
-        start_requested_stats();
+          start_requested_stats();
+        }
+      } else {
+        if (rfcode != NULL)
+          dfilter_free(rfcode);
+        cfile.rfcode = NULL;
+        show_main_window(FALSE);
+	     set_menus_for_capture_in_progress(FALSE);
       }
-    }
-    else {
-      show_main_window(FALSE);
-      set_menus_for_capture_in_progress(FALSE);
+    } else {
+        show_main_window(FALSE);
+        set_menus_for_capture_in_progress(FALSE);
     }
 
     /* if the user didn't supplied a capture filter, use the one to filter out remote connections like SSH */