Wireshark mailing list archives

Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c

From: Michael Tüxen <Michael.Tuexen () lurchi franken de>
Date: Tue, 28 Jun 2011 08:31:30 +0200

On Jun 28, 2011, at 4:45 AM, Guy Harris wrote:


On Jun 27, 2011, at 12:13 PM, Michael Tüxen wrote:

It is fixed in r37806. The currently
tshark -i lo0 -i en0 -f icmp sctp
will use sctp as the default capture filter. This means that the above is the same as
tshark -f sctp -i lo0 -i en0 icmp
or
tshark -i lo0 -f sctp -i en0 icmp


So does a "-f" filter apply to the interface specified immediately *before* the "-f" flag or to the interface 
specified immediately *after* the "-f" flag?

A "-f" filter specified before the first interface is the default filter.
A "-f" filter specified not before the first interface applies only the the
interface immediately before the "-f" flag.
I'm currently not enforcing that a given default is actually used for at
least one interface.

This applies to tshark, dumpcap, and wireshark. Only tshark supports a final
filter argument. So currently I use it as another way of specifying a default
and consider it an error to give the default twice (once with an initial -f
and another time with the argument).

However, this makes "tshark -i lo0 -f icmp sctp", which is invalid in earlier
versions.


And are users likely to remember which one is the case, and are most or all of them likely to consider one of the two 
the "obvious" right answer?

I could imagine that users using the filter argument expect the filter
to be used on each interface. So it might make sense to require that
no -f argument is given at all when using the filter argument. This would
also make "tshark -i lo0 -f icmp sctp" invalid as it is in earlier versions.

Could you live with that?

Best regards
Michael

However,
tshark -i lo0 -f sctp icmp
does not result in an error anymore.
If we want to keep that behavior, then we must require that no interface specific
capture filter is used when the filter as an argument is given. Which behavior
do you prefer?


Report an error off

      1) a default capture filter was supplied

but

      2) all interfaces on which you're capturing had explicit capture filters supplies, so that the default capture 
filter doesn't apply to any interfaces.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Guy Harris (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 27)
- Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 27)
  - Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Guy Harris (Jun 27)
    - Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 27)
    - Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Joerg Mayer (Jun 28)
    - Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 28)
    - Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c Michael Tüxen (Jun 28)