Wireshark-users: Re: [Wireshark-users] tshark: Difference between -R and -Y

From: Joerg Mayer <jmayer@xxxxxxxxx>
Date: Wed, 8 Jan 2014 01:22:43 +0100
On Sun, Jan 05, 2014 at 07:30:04PM -0500, Evan Huus wrote:
> Live capture with two-pass dissection is effectively undefined
> behaviour at this point (I'm surprised you're seeing any packets at
> all to be honest).

Ah, OK. As some "invalid" cases (-R without -2) are rejected I expected
that this was a valid combination.

> Everything should work as expected when reading from a capture file.

It does.

Thanks!
    Jörg

> On Sun, Jan 5, 2014 at 4:21 PM, Joerg Mayer <jmayer@xxxxxxxxx> wrote:
> > I just found out that I don't understand what -R does.
> >
> > If I run
> > tshark -2 -R "udp.port==53" -i wlan0
> > then it seems that I see all packets (arp, dns, lldp, ...)
> > if I instead run
> > tshark -2 -Y "udp.port==53" -i wlan0
> > I only see dns.
> > The manpage is not helpful either to explain what I am seeing
> > (snv HEAD / r54612)
> >
> > Can someone please explain what is going on here?

-- 
Joerg Mayer                                           <jmayer@xxxxxxxxx>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.