Hi,
Your conclusion that what isn't displayed isn't captured is incorrect.
Lets get into the details, shall we?
First there's the capture engine, then the processing and then the display.
The capture filter determines what's presented to the processing part.
The display filter determines what's presented to the end user.
This is the same for both WS as for TS.
As you can see, when you set a display filter all packets do get
captured and processed, but not presented to the end user (or put in an
output file for that matter).
Thanx,
Jaap
Petter Strandmark wrote:
Hi,
Using tshark I am able to only capture packets matching a certain display
filter (-R option). This is very useful when I want to capture specific
information over a long period of time on a high-traffic network.
Isn't this possible in wireshark? If it isn't, why not? Capture filters
are useful, but display filters can be so much more specific.
/Petter