Wireshark mailing list archives

tshark with -R less than stellar

From: Joerg Mayer <jmayer () loplof de>
Date: Sun, 12 Mar 2017 12:36:39 +0100

Hello,

I stmbled on https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234 and
the situation looks less than stellar (also documented in comment 25):

tshark -i utun2 -R "ip.addr==10.122.4.12"
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.

tshark -i utun2 -Y "ip.addr==10.122.4.12"
Capturing on 'utun2'
...
^C4 packets captured

tshark -w test.pcapng -i utun2 -Y "ip.addr==10.122.4.12"
tshark: Display filters aren't supported when capturing and saving the captured packets.

tshark -w test.pcapng -i utun2 -R "ip.addr==10.122.4.12"
tshark: -R without -2 is deprecated. For single-pass filtering use -Y.

tshark -w test.pcapng -i utun2 -R "ip.addr==10.122.4.12" -2
tshark: Live captures do not support two-pass analysis.

IMO we need a solution that doesn't violate the principle of least surprise
quite as much as the current situation.

Ideas?

Thanks!
   Jörg
-- 
Joerg Mayer                                           <jmayer () loplof de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

tshark with -R less than stellar Joerg Mayer (Mar 12)