First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Is it possible to test a capture filter with already captured traffic?

Suppose I have some captured traffic where I apply a display filter which shows the frames I want. Now I would like to convert the display filter to capture filter and use it on real traffic. But before using it I would like to test it over the captured traffic. Is it possible?

Rephrasing, I would like to feed wireshark with an existing pcap file to get a new one through a capture filter.

nignasi's avatar
1
nignasi
asked 2017-12-22 15:52:25 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

1

Not with Wireshark, but you could do it with tcpdump/WinDump, which supports filtering when reading a capture file, and uses libpcap/WinPcap filters, which is what Wireshark uses as a capture filter.

If you do `tcpdump -r {input file} -w {output file} {filter}", and then read the output file, that'll show you what packets in the input file would be matched by the filter.

Note, by the way, that not all display filters can be converted to capture filters; the engine that produces the fields that a display filter can test is the same engine that does detailed dissection of packets, but the engine that performs capture filtering is a small pseudo-machine that cannot, for example, execute loops (because that engine can execute in an OS in kernel mode, and they creators of that engine didn't want a program to be able to put the OS kernel into an infinite loop).

Guy Harris's avatar
19.9k
Guy Harris
answered 2017-12-22 18:21:28 +0000, updated 2017-12-22 18:24:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

You could also replay the traffic in a lab scenario using a tool such as tcpreplay, netcat, etc and setup and test your capture as many times as you'd like.

csereno's avatar
69
csereno
answered 2017-12-22 19:47:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer