Re: tshark --export-objects : -2 assumed or required for two-pass ?

[chuck c <bubbasnmp () gmail com>]

Thanks for the insight.

Probably too early to label this a bug, but definitely a change in behavior.
"Works" (may be in the eye of the beholder) in 2.6 and 3.0.
Output changed in 3.1 and 3.2.

On Mon, Aug 10, 2020 at 8:01 PM John Thacker <johnthacker () gmail com> wrote:

> On Mon, Aug 10, 2020 at 5:32 PM chuck c <bubbasnmp () gmail com> wrote:
>
> > tshark --export-objects dicom is behaving differently than exporting
> > Dicom objects in Wireshark.
> >
> > Is the "-2" option assumed to be set, observed if set or not used at all
> > for exporting objects with tshark?
>
> Having implemented Export Objects on a different custom TFTP-like
> protocol, I experienced the same thing.
>
> With tshark, -2 is observed if set, and that can result in different
> behavior. Generally more accurate information is obtained with two
> passes, which is equivalent to Wireshark behavior.
>
> There are certain protocols where single pass analysis just isn't
> sufficient to determine all the data, and dissectors where some state
> object is set, like packet-dcm.c, are a common case.
>
> John Thacker
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe