Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 3998] tshark with a read filter of smb.response

Wireshark-bugs: [Wireshark-bugs] [Bug 3998] tshark with a read filter of smb.response_in does no

Date: Mon, 11 Feb 2013 20:14:40 +0000

Comment # 3 on bug 3998 from Bill Meier

(In reply to comment #1)
> TShark is, by design and intent, a single-pass program - it moves forward
> through the packets and, once it's dissected a packet, it never looks at it
> again.
> 
> This makes it impossible for it to fill in the "smb.response_in" field, as
> you note:
> 
>     Maybe this is an issue with all derived information where the next
> packet is
> needed to populate the derived information for the Request?

Update: newer versions of tshark (starting with 1.8) do have a 2 pass
capability which does allow this type of query.

(However, there appears to be a bug: See Bug #8316)

You are receiving this mail because:

You are the assignee for the bug.
You are watching all bug changes.

Prev by Date: [Wireshark-bugs] [Bug 8316] tshark -2 -R "some filter" issues
Next by Date: [Wireshark-bugs] [Bug 3790] RTMP dissector shows "malformed packet" for valid RTMP packets.
Previous by thread: [Wireshark-bugs] [Bug 8316] tshark -2 -R "some filter" issues
Next by thread: [Wireshark-bugs] [Bug 8317] New: pcap-ng: name resolution block is not written to file on save
Index(es):
- Date
- Thread