If you specify the "-Q" flag, it starts a capture immediately and, when you stop the capture, Wireshark exits.
This is left over from when Wireshark implemented "Update list of packets in real time" captures by running another copy of Wireshark to do the capture and to send messages to the main Wireshark as packets arrive; that other copy was run with "-Q", so it would exit when the capture was complete. Wireshark no longer implementes "Update list of packets in real time" captures in that fashion; instead, it runs dumpcap. "-Q" doesn't appear to be useful for any other purposes - if you run a capture like that, you see the capture as it happens, but, when you stop the capture, Wireshark shuts down so you don't see any of the traffic. If you want to start a Wireshark capture from the command line, and *not* have Wireshark exit when the capture is stopped, you can use the "-k" flag. I have plans to use "-Q" to specify an 802.11 channel on which to capture in monitor mode in tcpdump, TShark, dumpcap, and Wireshark; "-Q" is available in all of those programs except Wireshark, and it doesn't appear to do anything useful in Wireshark. Would anybody miss the current "-Q" flag if it went away? _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users
