On 03/12/15 14:37, Avaneesh Kadam wrote:
Can we remove following tshark check?
==
main()
{
if (global_capture_opts.saving_to_file) {
if (dfilter != NULL) {
cmdarg_err("Display filters aren't supported when capturing and
saving the captured packets.);
*return 1; //remove this check to allow DF while capturing.*
*}*
}
}
==
I was looking following command to work:
==
tshark -Y "udp.port==137" -f udp -x -w udp_all.pcap
==
Eg. Above command will capture and save all UDP packets and display only
the ones with port as 137.
By removing above check I could get this to work, although I have not
done thorough testing yet.
That will work for your purpose. The reason the check is there,
however, is that most people seem to expect that applying the display
filter would affect what messages are sent to the output file
(udp_all.pcap). (They may have that expectation because that's what
would have happened in much older versions of Wireshark/Ethereal--before
the existence of dumpcap.)