Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-dev: Re: [Wireshark-dev] filter expression required

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 02 Jul 2007 10:09:32 -0700

Amit Paliwal wrote:


so does it mean that Wireshark display filter will losse some packets......
It means that display filters require a full dissection of the packet, and capture filters don't, so display filters require more work by the CPU per packet, which means that there might be a greater chance of losing packets.
Note also that neither capture filters nor display filters will necessarily handle fragmented IP datagrams the way you want - capture filters that look at TCP or UDP port numbers will capture only the first fragment (as that's the one that will probably have the UDP or TCP header and will thus be the only ones that can see the port number - filters are stateless and can't find the other fragments), and display filters will either work that way or, if you reassemble fragmented IP datagrams, will match only on the *last* fragment.
  • References:
    • Re: [Wireshark-dev] filter expression required
      • From: Amit Paliwal
  • Prev by Date: Re: [Wireshark-dev] [Wireshark-commits] rev 22144: /trunk-0.99.6/ /trunk-0.99.6/: ChangeLog configure.in version.conf
  • Next by Date: Re: [Wireshark-dev] Windows build crashing
  • Previous by thread: Re: [Wireshark-dev] filter expression required
  • Next by thread: [Wireshark-dev] Debian package files for 0.99.6
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation