David Antliff
changed
bug 9817
Comment # 4
on bug 9817
from David Antliff
There is another use case where the ability to "clear" the capture without
doing a full restart is useful. If wireshark is capturing from a pipe, using
the -i option, then restarting the capture results in an "Unrecognized libpcap
format" error, and is unrecoverable. I'm not sure, but this may be because the
restart action closes the pipe, and if the pipe is moderately complex (such as
an ssh tunnel) then it will fail.
In addition, there may be protocol fragments already captured that can help
with the decoding of future packets. Clearing them entirely is throwing away
potentially useful information (although I concede that the usefulness of this
may be very limited).
I suggest a possible alternative - a function to either explicitly (perhaps via
injecting text into the Filter field), or via some internal mechanism, create a
"frame.time >= 'now'" filter, where 'now' expands to the description of the
point in time that the function is invoked. This would allow previous packets
to remain in the capture log, but for the display to only show those packets
that have arrived since the function was invoked.
This filter can be manually entered in existing versions, the only usability
problem is that it's tedious to enter the date & time of 'now'.
This could potentially be extended to a "window" feature, allowing the user to
focus on packets that were logged between two different times, without packet
loss outside the window, and since the log isn't cleared, these begin/end
markers could be moved. Personally I would find this very useful for focusing
on a particular conversation within the log, the the ability to move the window
backwards and forwards in time. Perhaps in this case this is a good argument
for making the frame.time filters "baked in"?
You are receiving this mail because:
- You are watching all bug changes.