Re: Allowing display filters during capture

[Guy Harris <guy () alum mit edu>]

On Mar 13, 2015, at 7:22 AM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:

> That will work for your purpose.  The reason the check is there, however, is that most people seem to expect that 
> applying the display filter would affect what messages are sent to the output file (udp_all.pcap).  (They may have 
> that expectation because that's what would have happened in much older versions of Wireshark/Ethereal--before the 
> existence of dumpcap.)

That was a long time ago; might it be possible now to realign those people's expectations to match what would be, and 
*should* be, reality?  (One might perfectly rationally want to do a capture of, say, all traffic between two given 
hosts and, while the capture is running, first look at the NFS traffic between them, and then at the HTTP traffic 
between them, and then go back to looking at all traffic between them, i.e. it makes perfect sense to allow the display 
of a live capture to be temporarily filtered without actually filtering set of *captured* traffic.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe