[Guy Harris <gharris@xxxxxxxxxxxx>]

On Fri, Oct 27, 2000 at 12:05:48PM +1100, Mark Zvolanek wrote:
> I hope tethereal questions are allowed here.

Tethereal and Ethereal share a very large amount of code; the Ethereal
lists are also for Tethereal.

> When I use -R <read filter> switch I can see memory (private bytes, virtual
> bytes and working set) steadily increasing, eventually after several hours
> crashing the app.
> comand line I use is: 
> tethereal -R "(ip.src == 10.2.1.1 or ip.dst == 10.2.1.2) and tcp.port ==
> 1099" -w log1.cap
> 
> if I dont use the -R switch there are no leaks.i.e.
> tethereal -w log1.cap
> 
> What am I doing wrong?

You're assuming that Tethereal has no memory leaks.  Apparently it does,
but tracking the leak down could be difficult.

> Why does -f switch return syntax error for the above command line?

Because capture filters are compiled by the parser in libpcap/WinPcap,
and have a different syntax than the syntax for display filters (the
capture filter syntax would be inadequate for display filters, and
giving capture filters the same syntax would either involve

	1) re-implementing all the parsing and code generation stuff
	   that libpcap does, which is a very large project

or

	2) parsing display-filter-subset capture filters and generating
	   libpcap-syntax capture filters from them, which is a smaller
	   project but still a significant one).

An equivalent capture filter would be

	(src host 10.2.1.1 or dst host 10.2.1.2) and tcp port 1099