[Guy Harris <guy@xxxxxxxxxx>]

> Thanks for the quick reply. Perhaps the "put it in quotes" tip could be
> added to the tethereal man page instead of the current "See manual page
> of tcpdump(8)." The solution is simple enough, it's just not obvious
> enough!

"Not obvious" is arguably an indication that we should do it better.

Neither Ethereal nor Tethereal currently support command-line arguments
other than flag arguments.  For invocations that start out doing a
capture (Ethereal with the "-k" flag, Tethereal without the "-r" flag),
perhaps if there's no "-f" flag, the command-line arguments should be
treated as tokens in a packet filter expression, just as happens with
tcpdump and snoop.

(Unfortunately, this means that, for Tethereal at least, you can't also
arrange to have it read a capture file by giving the capture file name
without "-r"; it's been an occasional source of irritation that you have
to give the "-r" flag - "ethereal foo.pcap" doesn't work, you have to do
"ethereal -r foo.pcap".  For Ethereal, you have to give the "-k" flag to
get it to start out doing a capture, so you could have Ethereal with no
"-k" flag treat a single command-line argument as a file to read.)

Of course, in some cases you'd still have to put the expression, or
tokens thereof, in quotes, i.e. if it contains shell meta-characters
such as "["/"]", or "&&", or "||".