Wireshark · Wireshark-users: [Wireshark-users] > How do I change the default capture filter?

Wireshark-users: [Wireshark-users] > How do I change the default capture filter?
From: "Bland, Alan" <Alan.Bland@xxxxxxxxxxxx>
Date: Sat, 8 Aug 2009 09:03:01 -0700
 
Lori,

Thanks for the advice.

I found the string in the "recent" history file.  Removing is did not
help.
That file is generated when Wireshark is closed.  Wireshark is still
starting up with the invalid capture filter.

I went in and tried to set the defaul filter to one that exists, but
wireshark started up with the invalid filter selected.

Do you have any other ideas?


-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of
wireshark-users-request@xxxxxxxxxxxxx
Sent: Friday, August 07, 2009 12:09 PM
To: wireshark-users@xxxxxxxxxxxxx
Subject: Wireshark-users Digest, Vol 39, Issue 11

Send Wireshark-users mailing list submissions to
	wireshark-users@xxxxxxxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
	https://wireshark.org/mailman/listinfo/wireshark-users
or, via email, send a message with subject or body 'help' to
	wireshark-users-request@xxxxxxxxxxxxx

You can reach the person managing the list at
	wireshark-users-owner@xxxxxxxxxxxxx

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Wireshark-users digest..."


Today's Topics:

   1. Re: CPU scalability to quad cores? (Jeff Morriss)
   2. Re: How do I change the default capture filter (Wes)
   3. Re: VLAN Tags? (Wright, John)
   4. "Response/Request in frame" link in my decoded	packets --
      gone missing (dbarry@xxxxxxxxxxxxxxxxxxx)
   5. Re: [HELP] How to send bytes to wireshark on	runtime (Sam
Roberts)
   6. Re: [HELP] How to send bytes to wireshark	on	runtime (Guy
Harris)
   7. Cisco FWSM Capture Dump (Robert D. Scott)


----------------------------------------------------------------------

Message: 1
Date: Fri, 07 Aug 2009 08:43:02 -0400
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Subject: Re: [Wireshark-users] CPU scalability to quad cores?
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <4A7C2156.4020703@xxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed



Steve_Hackett@xxxxxxxxxxxx wrote:
> 
> Hi all. I'm new to this list so please go easy on me if this question 
> has been raised before!
> 
> Do multiple CPU cores help when processing large captures (e.g. 
> looking at conversations for instance)? I'm particularly interested in

> whether I would get a performance boost by moving from a dual core to 
> a quad core machine. I note that many applications in general don't 
> seem to scale well hence the reason for the question.

No: Wireshark is single threaded.  (Making it multi-threaded wouldn't be
easy, either.)


------------------------------

Message: 2
Date: Fri, 7 Aug 2009 06:06:51 -0700 (PDT)
From: Wes <wes_r@xxxxxxxxx>
Subject: Re: [Wireshark-users] How do I change the default capture
	filter
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <919569.1830.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset=iso-8859-1

You might be able to use masks to help narrow it down. For example:

ip.addr==192.168.0.0/16

Wes

--- On Fri, 8/7/09, Tony Barratt <tbarratt@xxxxxxxxxxx> wrote:

> From: Tony Barratt <tbarratt@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] How do I change the default capture
filter
> To: wireshark-users@xxxxxxxxxxxxx
> Date: Friday, August 7, 2009, 3:28 AM
> Interesting!
> I would like to display filter on 200 known IPs, which if
> not practical 
> in the GUI.
> Could I put the filter into one of the dfiles found in the
> filders tab?
> Or is there perhaps a better way?
> > Date: Thu, 6 Aug 2009 18:48:07 -0400
> > From: "Lori" <Verdandi@xxxxxxxxxxxxxxxxxx>
> > Subject: Re: [Wireshark-users] How do I change the
> default capture
> > ??? filter?
> > To: "Community support list for Wireshark"
> > ??? <wireshark-users@xxxxxxxxxxxxx>
> > Message-ID:
> <1E7C8F8A6AFE46FBB41DEFD70A638145@Quad>
> > Content-Type: text/plain; charset="iso-8859-1"
> >
> > How do I change the default capture filter?If you
> click on Help? |? About Wireshark and go to the
> Folders tab, it will show you the path for both Global and
> Personal configurations. 
> >
> > Hope this helps.
> >
> > Lori
> >
> >???----- Original Message ----- 
> >???From: Bland, Alan 
> >???To: wireshark-users@xxxxxxxxxxxxx
> 
> >???Sent: Thursday, August 06, 2009 2:10
> PM
> >???Subject: [Wireshark-users] How do I
> change the default capture filter?
> >
> >
> >???At some time in the past I created a
> filter and managed to set it as the default filter, because
> every time I start Wireshark and start a capture that filter
> is shown in the "capture filter" text box.
> >
> >???This is a problem because I deleted
> the filter, so it is not found. 
> >
> >???How do I remove this default setting.
> 
> >
> >???To fix it I resorted to uninstalling
> wire shark (1.0.7) and reinstalled it.? The default
> filter was the non-existent filter.
> >
> >???I uninstalled wireshark and install
> ethereal (0.99).? The default filter was still the
> non-existent filter. 
> >???I uninstalled ethereal and installed
> wireshark (2.0 the July 2009 release).? The default
> capture filter was still the non-existent filter.
> >
> >???I scanned the registry for the name
> of the filter.? Not found. 
> >???I searched the entire C: drive
> looking for the filter by name.? Not found. 
> >
> >???This is like a spirit from the other
> side that has not found peace and cannot rest. 
> >
> >???Your help is needed.? How do I
> remove this setting? 
> >???
> 
>
________________________________________________________________________
___
> Sent via:? ? Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
> Archives:? ? http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> ? ? ? ? ?
> ???mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> 


      


------------------------------

Message: 3
Date: Fri, 7 Aug 2009 09:19:10 -0400
From: "Wright, John" <John.Wright@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] VLAN Tags?
To: "Community support list for Wireshark"
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	
<F00D85918ECD574D89F6D0B855A2412B03A0555D@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
	
Content-Type: text/plain; charset="us-ascii"

Bob

I know that this card allows you to see vlan tags: CNet CNF401 

This is an older card 10/100 but it works.

 

From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Bob Carlson
Sent: Thursday, August 06, 2009 7:06 PM
To: 'Community support list for Wireshark'
Subject: [Wireshark-users] VLAN Tags?

 

I am connecting to and monitoring a port on a managed VLAN switch from a
Windows Vista machine.

 

Is there any way to capture the VLAN tags? I presume this may depend on
the Ethernet nic and driver. Is there a device/driver that I need to get
to support this?

 

I don't actually know if the monitoring port delivers the VLAN tags of
the packets it is monitoring. The switch is a ProCurve 2600-8-PWR.
Anybody know?

 

I do know that Wireshark can parse these. I used to capture vlan tags
when I was watching a VLAN being bridged across 802.11 with WDC.

 

Cheers, Bob

 

Bob Carlson | +1 719 571 9228 (office)  | +1 541 521 9525 (mobile)

bob@xxxxxxxxxxxxx  | rjcarlson49 (aim or skype)

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20090807/c08a
bbf0/attachment.htm 

------------------------------

Message: 4
Date: Thu, 6 Aug 2009 11:28:01 -0700
From: dbarry@xxxxxxxxxxxxxxxxxxx
Subject: [Wireshark-users] "Response/Request in frame" link in my
	decoded	packets -- gone missing
To: wireshark-users@xxxxxxxxxxxxx
Message-ID:
	
<OF640B6F97.9FEEE313-ON8825760A.006404FF-8825760A.00651947@xxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

Hello all:


I am using the 1.2.1 Win32  build of Wireshark.   Earlier I was often
able 
to see a link in the Decoded packet frame refernces such as [Response in

frame: 12345] and [Request in frame: 1234] for most frames (for example,

if reviewing a fram containing a HTTP GET, there would be a link to the 
HTTP Response.  Very handy , and a nice alternative to the
conversational 
view and filter.


However, it seems I am no longer seeing those links anymore ---  and it
it 
wasn't for the documentation in section C.2, I would begin to think it
was 
all a lovely dream. 

I'm wondering if I may have inadvertanlty changes a preference or
setting 
that I am no longer seeing, or if that reference is only displayed under

certain circumstances. 

As a reference, I still see links for the re-assembled frames, as well
as 
in the SEQ/ACK  analysis

Any help in getting this functionality back would be very much 
appreciated!


d.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.wireshark.org/lists/wireshark-users/attachments/20090806/a165
ed08/attachment.htm 

------------------------------

Message: 5
Date: Fri, 7 Aug 2009 09:59:35 -0700
From: Sam Roberts <vieuxtech@xxxxxxxxx>
Subject: Re: [Wireshark-users] [HELP] How to send bytes to wireshark
	on	runtime
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID:
	<17eac67c0908070959l3547d866ub13b8c958224543b@xxxxxxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1

On Thu, Aug 6, 2009 at 6:48 PM, Guy Harris<guy@xxxxxxxxxxxx> wrote:
> It's a bit non-obvious. but if you want Wireshark to start capturing
> immediately, you have to specify the "-k" flag as well:
>
>        wireshark -i /full/path/to/fifo.pcap -k

The -k works like a charm, thanks.

>> Is there a way to do this?
>
> Write the code in C, instead, and add it to libpcap; then either

Maybe we'll try this sometime. I'm not sure how rich the pcap
interface is, there is some information, such as channel to listen on,
that needs to be known in order to capture.

Cheers,
Sam


------------------------------

Message: 6
Date: Fri, 7 Aug 2009 10:03:49 -0700
From: Guy Harris <guy@xxxxxxxxxxxx>
Subject: Re: [Wireshark-users] [HELP] How to send bytes to wireshark
	on	runtime
To: Community support list for Wireshark
	<wireshark-users@xxxxxxxxxxxxx>
Message-ID: <22FB4E2E-B346-4161-ACB2-EE2A4C660276@xxxxxxxxxxxx>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes


On Aug 7, 2009, at 9:59 AM, Sam Roberts wrote:

> Maybe we'll try this sometime. I'm not sure how rich the pcap
> interface is, there is some information, such as channel to listen on,
> that needs to be known in order to capture.

The current pcap interface splits the process of starting a live  
capture into:

	a call to create a capture handle;

	various calls to set various properties on the handle;

	a call to activate the handle.

There is currently not a call to set a channel on which to capture,  
but at some point one will be added to handle 802.11; such a call  
could be used on other network types.


------------------------------

Message: 7
Date: Fri, 7 Aug 2009 13:08:38 -0400
From: "Robert D. Scott" <robert@xxxxxxx>
Subject: [Wireshark-users] Cisco FWSM Capture Dump
To: <wireshark-users@xxxxxxxxxxxxx>
Message-ID: <082501ca1781$b4efb9b0$1ecf2d10$@edu>
Content-Type: text/plain;	charset="us-ascii"

Has anyone written a script to convert a Cisco FWSM dump format into a
test2pcap format so I can read them in Wireshark?

text2pcap -l 12 infile.txt outfile.pcap works like a champ when the
firewall
output is in valid format. Hand editing is tedious.

Here is a 3 step tcp handshake from the fwsm:
   9: 12:11:00.692669814 802.1Q vlan#1202 P0 10.227.212.114.3709 >
10.19.1.125.80: S 3444274164:3444274164(0) win 65535 <mss
1460,nop,wscale
7,nop,nop,timestamp 0 0,nop,nop,sackOK>
0x0000   4500 0040 f143 4000 7e06 208f 0ae3 d472        E..@.C@.~. ....r
0x0010   0a13 017d 0e7d 0050 cd4b 73f4 0000 0000        ...}.}.P.Ks.....
0x0020   b002 ffff fb07 0000 0204 05b4 0103 0307        ................
0x0030   0101 080a 0000 0000 0000 0000 0101 0402        ................
  10: 12:11:00.692669814 802.1Q vlan#1202 P0 10.19.1.125.80 >
10.227.212.114.3709: S 1345738498:1345738498(0) ack 3444274165 win 4128
<mss
536>
0x0000   4500 002c a748 0000 fe06 2a9e 0a13 017d        E..,.H....*....}
0x0010   0ae3 d472 0050 0e7d 5036 5702 cd4b 73f5        ...r.P.}P6W..Ks.
0x0020   6012 1020 a966 0000 0204 0218 0000             `.. .f........
  11: 12:11:00.692669814 802.1Q vlan#1202 P0 10.227.212.114.3709 >
10.19.1.125.80: . ack 1345738499 win 65535
0x0000   4500 0028 f145 4000 7e06 20a5 0ae3 d472        E..(.E@.~. ....r
0x0010   0a13 017d 0e7d 0050 cd4b 73f5 5036 5703        ...}.}.P.Ks.P6W.
0x0020   5010 ffff cda7 0000 0000 0000 0000             P.............

Robert D. Scott                 Robert@xxxxxxx
Senior Network Engineer         352-273-0113 Phone
CNS - Network Services          352-392-2061 CNS Phone Tree
University of Florida           352-392-9440 FAX
Florida Lambda Rail             352-294-3571 FLR NOC
Gainesville, FL  32611          321-663-0421 Cell





------------------------------

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users


End of Wireshark-users Digest, Vol 39, Issue 11
***********************************************
Follow-Ups:
- Re: [Wireshark-users] > How do I change the default capture filter?
  - From: Lori
Prev by Date: Re: [Wireshark-users] How to time slice a .pcap file (UNCLASSIFIED)
Next by Date: [Wireshark-users] Trouble-shooting asp.net session-timeouts with wireshark
Previous by thread: Re: [Wireshark-users] Cisco FWSM Capture Dump
Next by thread: Re: [Wireshark-users] > How do I change the default capture filter?
Index(es):
- Date
- Thread