CloudShark Support

CloudShark Display Filter Macros

Using Display Filter Macros

Display filter macros created for Wireshark may be used directly in CloudShark. Macros provide a simple shorthand to work with complicated or hard to remember display filters.

Setting up Display Filter Macros

  • Wireshark display filters are stored in the dfilter_macros file in your Wireshark preferences directory. The location of your Wireshark preferences directory varies based on your specific operating system.
  • Copy your desired dfilter_macros file to /home/cloudshark/.wireshark/dfilter_macros
  • This file must be readable by the cloudshark OS user
  • After installing this file for the first time or changing any entry in this file, the CloudShark caching system must be restarted. Become root and run # service memcached restart

Example Macros

Display filter macros consist of comma seperated entries that list the macro name followed by the display filter. The display filter macro name and filter should be enclosed in quotes. Here is a display filter macro that uses a specific IPv4 address.

"server","ip.addr == 1.2.3.4"

Referencing Macros

Display filter macros are referenced using ${macro name} notation. In CloudShark, these macros may be used any place a normal display filter is used.

Macros with Arguments

Display filter macros can also take arguments that are passed in when the macro is references. Arguments are passed to a macro by appending a “:” to the end of the macro name followed by the value.

"mymac", "(eth.dst contains $1)"

This macro would be referenced as ${mymac:00:01:02}

Important!

Macros are available to all CloudShark users. After making any changes to your macro definitions, you must restart the CloudShark’s cache system:

service memcached restart

About CloudShark

CloudShark is made by QA Cafe, a technology company based in Portsmouth, NH. Our passion for packet captures has grown out of our other product CDRouter.

Get in touch via our Contact us page or by following us on your favorite service: