Wireshark-users: Re: [Wireshark-users] how could you indicate at start up the IP addresses that w
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 9 Jan 2019 22:01:40 -0800
On Jan 9, 2019, at 9:29 PM, Albretch Mueller <lbrtchx@xxxxxxxxx> wrote:

> in order for only that kind of traffic to be logged to a file?
> 
> You could indicate the interface to listen to with:
> 
> wireshark -i <interface>
> 
> but how do you also indicate that all traffic to certain IP addresses
> should be "followed" and streamed to a certain file on exit?

(Note: the traffic isn't sent to a capture file on exit; Wireshark doesn't capture packets and store them in memory, and only write them out to a file on a save, it writes packets to a file as they're captured - "saving" to a file could involve renaming the file, if it's a temporary file, or copying it to a new location.  And the save is just a sequence of writes - it's not "streamed" in any sense that you can follow the stream; you have to wait for Wireshark to finish writing it, and only read it when it's done, unless you don't mind running the risk of errors reading from a partially-written file.)

The way you set a capture filter from the command line is, to quote the man page:

       -f  <capture filter>
           Set the capture filter expression.  
       
           This option can occur multiple times.  If used before the first  
           occurrence of the -i option, it sets the default capture filter
           expression.  If used after an -i option, it sets the capture filter
           expression for the interface specified by the last -i option
           occurring before this option.  If the capture filter expression is
           not set specifically, the default capture filter expression is used
           if provided.
           
           Pre‐defined capture filter names, as shown in the GUI menu itemy,
           Capture->Capture Filters, can be used by prefixing the argument
           with "predef:".  Example: -f "predef:MyPredefinedHostOnlyFilter"

So you'd do something such as

	wireshark -i <interface> -f "host <IP address 1> or <IP address 2> or ... or <IP address N>"

Note, by the way, that if you also pass the -k flag, Wireshark will start capturing as soon as it's finished initializing, so you don't have to click anything to start it.