Wireshark mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tshark option for reassembled fragment output

From: Evan Huus <eapache () gmail com>
Date: Wed, 27 Mar 2013 08:52:10 -0400
We just got another bug on what I believe is exactly the same issue:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8529

Do we have at least a rough consensus on what the correct behaviour is?

On Sat, Mar 9, 2013 at 7:48 AM, Evan Huus <eapache () gmail com> wrote:

On Sat, Mar 9, 2013 at 12:27 AM, Hadriel Kaplan <HKaplan () acmepacket com> wrote:


On Mar 8, 2013, at 6:20 PM, Jeff Morriss <jeff.morriss.ws () gmail com> wrote:


Note that someone did find a use case for not saving those dependencies: for when Wireshark got the dependencies 
wrong (due to, in that case, packet duplication):
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7667


Yeah, a good/nasty example.  In fact, that makes me think there might even be a use-case for specifying both a read 
and a display filter, separately, in tshark.

So to bring it back full-circle, does anyone object to making the new ability to include dependent frames in 
exported info as a new '-Y <display filter>' option? (the 'Y' is for 'displaY', Wireshark's '-d' is used for 
something else in tshark)


I would think it would be better to move the current -d to something
else. Command-line flags should be consistent between Wireshark and
Tshark, at least where they have the same meaing.


It would not support live capture, only file input.  It would not print out the dependents to stdout, but would to 
PDML/CSV/whatever.  Similar to the current -R option, -Y would not re-number the frames, which -2 does do.

If both "-R <read filter>' and '-Y <display-filter>' are specified, then it would run the read filter on the first 
pass, and the display on the second pass.  For example, this would let you do things like:

tshark -r input.pcap -R 'eth.src==00:10:20:30:40:50' -Y 'mp2t' -w output.pcap

...and you would get the mp2t frames and their dependent fragments, but only for ones from that source Ethernet MAC 
address.

The other question is if it should deprecate the '-2', or if '-2' should be left as it is now.


My understanding would be that we would end up with -R for read
filters, -d for display filters and -2 which can be added to either
for two-pass analysis (which also enables the reassembly exporting).
There should be no need for an additional flag except as something to
move the current -d to.

Evan

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: