Guy Harris wrote:
Jason wrote:
However, the OP of this thread appeared to be talking about using '-R'
to set the Display Filter in wireshark during an autostarted, '-k', live
capture. So, we're not looking for setting a capture filter with '-R'
like tshark does for reading files. Only to set the Diplay Filter when
autostarting. Maybe it should have a different switch, to clarify it.
Given that the "R" in "-R" stands for "read", as in "read filter", as in
"filter that's applied when reading packets", that would be the wrong
flag for a *display* filter that's not applied when Wireshark initially
reads in the packets - i.e., a "set the display filter" flag wouldn't
cause packets that don't match the filter to be discarded when the
capture is being read, it would just cause them not to be displayed -
clearing the display filter would show those packets.
mmmmm, suddenly '-y' and '-k' make perfect sense ;-)
Since '-D' is taken by:
-D print list of interfaces and exit
how about '-d'? Like so:
Processing:
-R <read filter> packet filter in Wireshark display filter syntax
-d <display filter> set display filter on start (def: none)
-n disable all name resolutions (def: all enabled)
-N <name resolve flags> enable specific name resolution(s): "mntC"
I had a patch which used the display filter compiler on the '-R'
argument and set the running display filter. Unfortunately, I might
have wiped it during a recent cleanup. It wasn't too difficult. iirc,
it was all in gtk/main.c I had some trouble (I think with the gtk side
of it) that it wouldn't always show the text of the filter in the
Display Filter text entry box...
Jason.