Wireshark-dev: Re: [Wireshark-dev] tshark option for reassembled fragment output

From: Evan Huus <eapache@xxxxxxxxx>
Date: Wed, 27 Mar 2013 17:44:57 -0400
On Wed, Mar 27, 2013 at 2:27 PM, Christopher Maynard
<Christopher.Maynard@xxxxxxxxx> wrote:
> Evan Huus <eapache@...> writes:
>
>> Tshark's current -d is moved to -A (for "decode As") to make room for
>> the new -d (which is then consistent with wireshark's -d).
>
> Wireshark's -A is for RPCAP password authentication.  Should we reserve -A for
> that?  (I assume it would be possible to support this with tshark.)

Yuck, I didn't see that since it's windows-only. Perhaps rpcap auth
could simply get moved to Y (which would be free in both tshark and
wireshark)? It doesn't seem to have a useful association with either
letter.

On Wed, Mar 27, 2013 at 2:43 PM, Hadriel Kaplan <HKaplan@xxxxxxxxxxxxxx> wrote:
>
> On Mar 27, 2013, at 1:57 PM, Evan Huus <eapache@xxxxxxxxx> wrote:
>
>> -d filtering is done when displaying, and has no effect on the
>> internal dissection at all (note this does not force 2 passes).
>
> Actually I'm pretty sure Wireshark *does* perform two passes when a display filter is applied from the command line.  It performs the first-pass on reading the file during which it applies a read-filter if supplied as well as a display-filter if supplied, and it does a second display-filter and dissection pass during loading of the GUI's packet-store (which was filled by whatever passed the first pass).

I think this is just a potential optimization in Wireshark, not
required behaviour. It shouldn't (?) materially affect my proposal.

Evan