Re: [Wireshark-commits] rev 37802: /trunk/ /trunk/: capture.c dumpcap.c tshark.c

[Guy Harris <guy () alum mit edu>]

On Jun 27, 2011, at 12:13 PM, Michael Tüxen wrote:

> It is fixed in r37806. The currently
> tshark -i lo0 -i en0 -f icmp sctp
> will use sctp as the default capture filter. This means that the above is the same as
> tshark -f sctp -i lo0 -i en0 icmp
> or
> tshark -i lo0 -f sctp -i en0 icmp

So does a "-f" filter apply to the interface specified immediately *before* the "-f" flag or to the interface specified 
immediately *after* the "-f" flag?

And are users likely to remember which one is the case, and are most or all of them likely to consider one of the two 
the "obvious" right answer?

> However,
> tshark -i lo0 -f sctp icmp
> does not result in an error anymore.
> If we want to keep that behavior, then we must require that no interface specific
> capture filter is used when the filter as an argument is given. Which behavior
> do you prefer?

Report an error off

        1) a default capture filter was supplied

but

        2) all interfaces on which you're capturing had explicit capture filters supplies, so that the default capture 
filter doesn't apply to any interfaces.
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe