Wireshark-users: Re: [Wireshark-users] Capture filtering using display filters

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Fri, 27 Jul 2007 17:29:55 +0200
Hi,

Your conclusion that what isn't displayed isn't captured is incorrect.
Lets get into the details, shall we?

First there's the capture engine, then the processing and then the display.

The capture filter determines what's presented to the processing part.
The display filter determines what's presented to the end user.
This is the same for both WS as for TS.

As you can see, when you set a display filter all packets do get captured and processed, but not presented to the end user (or put in an output file for that matter).

Thanx,
Jaap

Petter Strandmark wrote:
Hi,

Using tshark I am able to only capture packets matching a certain display
filter (-R option). This is very useful when I want to capture specific
information over a long period of time on a high-traffic network.

Isn't this possible in wireshark? If it isn't, why not? Capture filters
are useful, but display filters can be so much more specific.

/Petter