Re: Multiple traces

[Guy Harris <guy () alum mit edu>]

On Oct 28, 2015, at 1:25 PM, Perry Smith <pedzsan () gmail com> wrote:

> I am testing the new Wireshark 2.0.0rc1 on the Mac and so far it seems to have all the features I need.   I believe I 
> am going to enjoy the new interface a great deal.  The X11 interface was rather quirky on the Mac.
>
> I have one question.
>
> In the old version (1.12.x) I could do:
>
> open -a wireshark foo1.pcap
> open -a wireshark foo2.pcap
> open -a wireshark foo3.pcap
>
> and have all three traces at the same time.  I could not seem to get this feature if I did the normal open from the 
> GUI.  But now on 2.0, the above does not work like it did.  Instead of a new window, a new open command (from the 
> command line) just replaces the single existing window.

The GTK+ version consists of a wrapper program that's the "application" from the standpoint of Launch Services, and an 
X11 program that's the real Wireshark.  A side-effect of that was, apparently, that multiple opens would cause multiple 
instances of the X11 program to be started.

The Qt version consists of a single program; the "application" from the standpoint of Launch Services *is* the real 
Wireshark.  This might make it more difficult to arrange that multiple opens cause multiple instances of the program to 
be started; in OS X's model of the world, a single process handles all open documents, but, currently, Wireshark 
doesn't support that.

> So I gather that most people look at one IP trace at a time?

No, you gather that the transition from being a less-native application to being a more-native application more 
actively exposes the mismatch between Wireshark's one-process-per-capture architecture and OS X's 
one-process-for-all-documents architecture.  This was not an explicit UI design change.

> That is likely going to be a deal breaker for me.  I often want to view iptraces taken simultaneously on the two 
> ends.  Perhaps there are better techniques?

Well, you could create a small shell script named, for example, "wsopen", which does:

        #! /bin/sh
        /Applications/Wireshark.app/Contents/MacOS/Wireshark "$@"&

and then doing

        wsopen foo1.pcap
        wsopen foo2.pcap
        wsopen foo3.pcap

should work.  (With 2.0.0rc1, this will fail; you'd have to install the latest 2.0.0rc2 automated builds from 
https://www.wireshark.org/download/automated/osx/.)

> Is there an option (or an open request to add an option) so I can have more than one trace open at a time?

Well, ultimately, Wireshark should be made to support having multiple files - and live captures - open within a single 
process, so that it fits the OS X model better.  On other OSes (Windows and other UN*Xes), double-clicking multiple 
captures would probably start separate processes, as that's how their application launchers work; I don't know whether 
the ability to open multiple files or start multiple captures within the same process would be useful on those 
platforms.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe