Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tshark option for reassembled fragment output

From: Hadriel Kaplan <HKaplan () acmepacket com>
Date: Sat, 9 Mar 2013 05:27:07 +0000

On Mar 8, 2013, at 6:20 PM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:


Note that someone did find a use case for not saving those dependencies: for when Wireshark got the dependencies 
wrong (due to, in that case, packet duplication):
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7667


Yeah, a good/nasty example.  In fact, that makes me think there might even be a use-case for specifying both a read and 
a display filter, separately, in tshark.

So to bring it back full-circle, does anyone object to making the new ability to include dependent frames in exported 
info as a new '-Y <display filter>' option? (the 'Y' is for 'displaY', Wireshark's '-d' is used for something else in 
tshark)

It would not support live capture, only file input.  It would not print out the dependents to stdout, but would to 
PDML/CSV/whatever.  Similar to the current -R option, -Y would not re-number the frames, which -2 does do.

If both "-R <read filter>' and '-Y <display-filter>' are specified, then it would run the read filter on the first 
pass, and the display on the second pass.  For example, this would let you do things like:

tshark -r input.pcap -R 'eth.src==00:10:20:30:40:50' -Y 'mp2t' -w output.pcap

...and you would get the mp2t frames and their dependent fragments, but only for ones from that source Ethernet MAC 
address.

The other question is if it should deprecate the '-2', or if '-2' should be left as it is now.



Other random thoughts based on what I've read in this thread:
Read filters used to be (most?) commonly used when capturing: want to save only 1/1000th of the traffic and capture 
filters aren't powerful enough?  Use a Read filter.  But that's been broken for a long time though (since PrivSep 
came in; see bug 2234).  See the recent question about that on -users too.


Off-topic, but do you know that the current docs for dumpcap say this about '-w <outfile>'?:
    NOTE: The usage of "-" for stdout is not allowed here!
:)

-hadriel

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: