Hadriel Kaplan <HKaplan@...> writes: > BTW, some output from that bug's pcap with your filter: > > ./tshark -r testcapture.pcapng -R 'ip.src == 10.90.130.69 && ip.dst == 10.90.130.66 && tcp.flags.push > == 1' > 5 0.001054000 0.000050000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST > /urreq/rrurreq.dll/?soaprequest HTTP/1.1 > > ./tshark -r testcapture.pcapng -R 'ip.src == 10.90.130.69 && ip.dst == 10.90.130.66 && tcp.flags.push > == 1' -2 > 1 0.001054000 0.000000000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST > /urreq/rrurreq.dll/?soaprequest HTTP/1.1 > > ./tshark -r testcapture.pcapng -Y 'ip.src == 10.90.130.69 && ip.dst == 10.90.130.66 && tcp.flags.push > == 1' > 4 0.001004000 0.000886000 10.90.130.69 -> 10.90.130.66 TCP [TCP segment of a reassembled PDU] > 5 0.001054000 0.000050000 10.90.130.69 -> 10.90.130.66 HTTP/XML POST > /urreq/rrurreq.dll/?soaprequest HTTP/1.1 > > Note that last one is what my patch is doing with the '-Y' mode. If this replaces one of the current modes > instead of being a new one, I'll make it stop printing the fragments out. I couldn't decide if it seemed odd > or not to print them, but I figured if it was a new option to do this reassembly thing anyway, that the user > could just not use it if they were printing to stdout and din't want to see the fragments.
I think there is a difference between displaying the packets matching the filter and saving the packets matching the filter to another pcap file. In the former case, Wireshark does not display packets that don't match the display filter; I think tshark should behave the same way. Only when you save packets off to another pcap file do the dependencies also get saved using Wireshark. That's what I think tshark should do here as well. And currently Wireshark does not allow you *NOT* to save those dependencies - >From Jeff's commit message, "Also, this behavior is always the case: you can't save the displayed packets without their dependencies (I don't see why this would be desirable)." So, tshark might as well act similarly. I suggest dispensing with the -Y option and just save all packet dependencies when using the -2 and -w <outfile> options. Displaying packets should not change. I'm curious what Jeff thinks though since he wrote the code for Wireshark. - Chris ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe