Wireshark mailing list archives
Re: tshark option for reassembled fragment output
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Fri, 08 Mar 2013 18:20:12 -0500
Sorry, I've been lazy about catching up on this long thread. Christopher Maynard wrote:
I think there is a difference between displaying the packets matching the filter and saving the packets matching the filter to another pcap file. In the former case, Wireshark does not display packets that don't match the display filter; I think tshark should behave the same way.
Yes, an important point.
Only when you save packets off to another pcap file do the dependencies also get saved using Wireshark. That's what I think tshark should do here as well. And currently Wireshark does not allow you *NOT* to save those dependencies -From Jeff's commit message, "Also, this behavior is always the case: you can'tsave the displayed packets without their dependencies (I don't see why this would be desirable)." So, tshark might as well act similarly. I suggest dispensing with the -Y option and just save all packet dependencies when using the -2 and -w <outfile> options. Displaying packets should not change.
Note that someone did find a use case for not saving those dependencies: for when Wireshark got the dependencies wrong (due to, in that case, packet duplication):
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7667 Other random thoughts based on what I've read in this thread:Read filters used to be (most?) commonly used when capturing: want to save only 1/1000th of the traffic and capture filters aren't powerful enough? Use a Read filter. But that's been broken for a long time though (since PrivSep came in; see bug 2234). See the recent question about that on -users too.
I agree tshark should try to be consistent with itself rather than trying to fake consistency with the GUI. We've had a lot of questions over the years about why tshark is different and usually the "it's doing one pass" logic explains it easily enough. (Honestly I've viewed tshark's 2-pass mode as an interesting experiment: I think it was thrown in as an experiment and only added to the documentation for completeness--completeness which was probably premature given the state of the code.)
Don't forget that tshark is limited to 1 pass when it's reading from a pipe (which is a common use case); making 2-pass the default would probably annoy a lot of users who do that.
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Re: tshark option for reassembled fragment output, (continued)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 04)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 02)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 03)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 03)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 04)
- Re: tshark option for reassembled fragment output Jeff Morriss (Mar 08)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 08)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 09)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 27)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 27)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 27)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 27)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 27)
- Re: tshark option for reassembled fragment output Christopher Maynard (Mar 27)
- Re: tshark option for reassembled fragment output Evan Huus (Mar 27)
- Re: tshark option for reassembled fragment output Hadriel Kaplan (Mar 27)