Re: tshark option for reassembled fragment output

[Evan Huus <eapache () gmail com>]

Here's an updated proposal for potential 'final' behaviour:

===

Tshark and wireshark both have -R for read filter and -d for display filter.

-R filtering is done on initially reading the file and prevents the
rejected packet from being added to the frame data list and other such
structures.

-d filtering is done when displaying, and has no effect on the
internal dissection at all (note this does not force 2 passes).

Tshark's current -d is moved to -A (for "decode As") to make room for
the new -d (which is then consistent with wireshark's -d).

Tshark keeps -2 effectively as it already exists.

===

If -2 is specified, read filters are applied during first pass,
display filters during second pass. If -2 is not specified then both
filters are applied during first pass (but read filter is still
applied first). This naturally follows from the above definitions.
This means that in 1-pass mode there is little difference between -R
and -d. The -2R combination also continues behaving oddly. Both of
these are unusual cases though.

Just to spell it out, under this proposal a user would say -2d instead
of the current -Y.

Thoughts?
Evan
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe