| Bug ID |
10428
|
| Summary |
tshark's -c flag no longer operates correctly
|
| Product |
Wireshark
|
| Version |
1.12.0
|
| Hardware |
x86-64
|
| OS |
Linux (other)
|
| Status |
UNCONFIRMED
|
| Severity |
Major
|
| Priority |
Low
|
| Component |
TShark
|
| Assignee |
[email protected]
|
| Reporter |
[email protected]
|
Created attachment 13021 [details]
example capture with more than one tcp stream (from wireshark wiki)
Build Information:
TShark 1.12.0 (GitRev 2227 from /wireshark)
Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.26.1, with libpcap, with libz 1.2.3, without
POSIX
capabilities, without libnl, without SMI, with c-ares 1.7.0, with Lua 5.1,
without Python, with GnuTLS 2.8.5, with Gcrypt 1.4.5, with MIT Kerberos,
without
GeoIP.
Running on Linux 2.6.32-431.el6.x86_64, with locale en_US.UTF-8, with libpcap
version 1.4.0, with libz 1.2.3.
Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz
Built using gcc 4.4.7 20120313 (Red Hat 4.4.7-4).
--
The behavior of the "-c" option has changed between tshark 1.10 and 1.12, and
is now limiting the number of packets that are READ by tshark. Previously, it
corresponded to the number of packets that were DISPLAYED on output.
For example, if I wanted to see the first 3 packets of a given TCP stream, I
could have written:
tshark -r [file] -c 3 -Y "tcp.stream eq 1"
In tshark 1.10.x and earlier, on the example file provided, that would display
three packets: #9, #12, and #13.
With the change to the -c option in tshark 1.12, that no longer shows any
packets, because the "-c 3" will limit reading to only the first 3 packets, and
the requested stream doesn't start until packet #9.
You are receiving this mail because:
- You are watching all bug changes.