Amit Paliwal wrote:
so does it mean that Wireshark display filter will losse some packets......
It means that display filters require a full dissection of the packet,
and capture filters don't, so display filters require more work by the
CPU per packet, which means that there might be a greater chance of
losing packets.
Note also that neither capture filters nor display filters will
necessarily handle fragmented IP datagrams the way you want - capture
filters that look at TCP or UDP port numbers will capture only the first
fragment (as that's the one that will probably have the UDP or TCP
header and will thus be the only ones that can see the port number -
filters are stateless and can't find the other fragments), and display
filters will either work that way or, if you reassemble fragmented IP
datagrams, will match only on the *last* fragment.
