On Monday 28 April 2008 02:16:18 Nahuel Greco wrote: > Package: tshark > Version: 1.0.0-1 > Severity: important > > > When you execute something like: > > tshark -i eth0 -R http.request -w test.pcap > > tshark seems to ignore the read filter specified with the "-R" flag. The > number of captured packets printed to stderr seems to be correct (it only > prints the number of http requests encountered). But if you analize the > test.pcap file, you will see that ALL the traffic from eth0 was dumped > unfiltered to it.
--manpage cut-- > I think it's clear, tshark must use the read filter to filter the packets > before dumping them to the "-w" specified output file. So, this is a bug > or a documentation error. I can reproduce this. I could immagine this is a limitation of the way display filters work, however indeed at least the documentation is misleading then. I'll see if this problem is known upstream. Joost -- homepage: http://damad.be/joost photo blog: http://damad.be/joost/photo -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]