Wireshark mailing list archives
Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c
From: Michael Tüxen <Michael.Tuexen () lurchi franken de>
Date: Tue, 28 Jun 2011 08:31:30 +0200
On Jun 28, 2011, at 4:45 AM, Guy Harris wrote:
On Jun 27, 2011, at 12:13 PM, Michael Tüxen wrote:It is fixed in r37806. The currently tshark -i lo0 -i en0 -f icmp sctp will use sctp as the default capture filter. This means that the above is the same as tshark -f sctp -i lo0 -i en0 icmp or tshark -i lo0 -f sctp -i en0 icmpSo does a "-f" filter apply to the interface specified immediately *before* the "-f" flag or to the interface specified immediately *after* the "-f" flag?
A "-f" filter specified before the first interface is the default filter. A "-f" filter specified not before the first interface applies only the the interface immediately before the "-f" flag. I'm currently not enforcing that a given default is actually used for at least one interface. This applies to tshark, dumpcap, and wireshark. Only tshark supports a final filter argument. So currently I use it as another way of specifying a default and consider it an error to give the default twice (once with an initial -f and another time with the argument). However, this makes "tshark -i lo0 -f icmp sctp", which is invalid in earlier versions.
And are users likely to remember which one is the case, and are most or all of them likely to consider one of the two the "obvious" right answer?
I could imagine that users using the filter argument expect the filter to be used on each interface. So it might make sense to require that no -f argument is given at all when using the filter argument. This would also make "tshark -i lo0 -f icmp sctp" invalid as it is in earlier versions. Could you live with that? Best regards Michael
However, tshark -i lo0 -f sctp icmp does not result in an error anymore. If we want to keep that behavior, then we must require that no interface specific capture filter is used when the filter as an argument is given. Which behavior do you prefer?Report an error off 1) a default capture filter was supplied but 2) all interfaces on which you're capturing had explicit capture filters supplies, so that the default capture filter doesn't apply to any interfaces. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Guy Harris (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Guy Harris (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Joerg Mayer (Jun 28)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 28)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 28)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Guy Harris (Jun 27)