On Sun, Mar 3, 2013 at 12:31 PM, Hadriel Kaplan <hkap...@acmepacket.com> wrote:
>
> On Mar 3, 2013, at 9:57 AM, Evan Huus <eapa...@gmail.com> wrote:
>
>> Right now, wireshark has three CLI filter flags: -R, -d, -f.
>> -d is available through the 'filter' field in the file->open dialogue
>> -f is available through the 'capture filter' field in the
>> capture->options dialogue
>> -R is not available in the GUI at all?
>
> No I believe in the current version of Wireshark it's this:
> -d is the Wireshark *display* filter, same as shown in the toolbar or 
> 'Analyze->Display Filters...'
> -f is as you say
> -R is the Wireshark *read* filter, same as through the 'Filter:' field in 
> file->open

Right. I saw the pre-populating of the display filter field and got confused.

> For some reason when the read filter is done in the file->open dialog box 
> instead of through -R, wireshark also happens to pre-populate the display 
> filter field once the file is opened, presumably as a reminder?  But clearing 
> the display filter doesn't make the other frames appear, since the file's 
> already been opened with only the frames matching the read filter.  And using 
> -R from the command line doesn't pre-populate the display filter field in the 
> opened file.
>
> Currently in tshark the '-R' alone doesn't behave like anything in Wireshark, 
> but '-R -2' two-pass behaves like Wireshark's -R read filter; whereas my 
> patch behaves like Wireshark's '-d' display filter.
>
>
>>> The *tshark* legacy '-R' by itself (without the '-2') is also fairly 
>>> confusing.  It doesn't behave as a Wireshark read filter or display filter. 
>>>  But it's got the performance benefit of only doing one pass.  I'm not sure 
>>> if that matters to many people, but I would think it would to someone.(?)
>>
>> I would think that whatever tshark's filter flag is, it ought to
>> behave just like wireshark's display filter. It should be possible to
>> do that in still only one pass?
>
> I don't see how - the filter matching can happen on the second frame/packet 
> of a pair of fragments, for example, and you've already passed by the initial 
> fragment by that time.  So right now my tshark patch uses the 2-pass model by 
> adding all frames to the frame-list/radix-tree in the first pass and marking 
> the dependency flag of previous frames in the list when the filter matches; 
> then in the second pass it prints the frames that are marked for dependency 
> or pass the filter.  In the second pass I'm not sure the filter needs to be 
> applied again, but that's what the code did before so there's probably some 
> good reason for it.

Hmm, yes. So the one-pass mode should behave the same as wireshark
except for fragmented packets then?

I think, in general, I'm still in favour of getting rid of the read
filter. The file->open filter field which currently acts (sort of)
like -R can instead act like Wireshark's current -d: prepopulating the
display filter, but not actually removing the other packets from
consideration (so that clearing the display filter shows them again).

There doesn't seem to be a coherent and usable behaviour for -R when
dealing with fragmented packets.

Evan
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe

Reply via email to