Re: tshark option for reassembled fragment output

[Hadriel Kaplan <HKaplan () acmepacket com>]

On Mar 27, 2013, at 1:57 PM, Evan Huus <eapache () gmail com> wrote:

> -d filtering is done when displaying, and has no effect on the
> internal dissection at all (note this does not force 2 passes).

Actually I'm pretty sure Wireshark *does* perform two passes when a display filter is applied from the command line.  
It performs the first-pass on reading the file during which it applies a read-filter if supplied as well as a 
display-filter if supplied, and it does a second display-filter and dissection pass during loading of the GUI's 
packet-store (which was filled by whatever passed the first pass).

-hadriel

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe