Wireshark-users: [Wireshark-users] So what use does the "-Q" flag have?
: Guy Harris <guy@xxxxxxxxxxxx
: Tue, 23 Aug 2011 19:58:06 -0700
The man page says
−Q Cause Wireshark to exit after the end of capture session (useful in
batch mode with −c option for instance); this option requires the
−i and −w parameters.
"Exit after the end of the capture session" means that
1) if the capture fails to start, Wireshark exits before you get to read any message box it puts up with an error message;
2) if the capture does start, as soon as you stop it, Wireshark quits, meaning you don't get to look at the capture when it's done.
What is the "batch mode" referred to there? If the goal is to do capturing from the command line, using TShark or dumpcap would make more sense; all you get from -Q is a mode where you get to watch the capture while it's happening, but when it's done, that's it. With -c, the capture stops automatically, so, if you're not paying attention, you might not see any of the packets.
It might be there as a leftover from the days when "Update list of packets in real time" was implemented by spinning off a child process running Wireshark to do the capturing; that's no longer the case, as we now spin off a child process running dumpcap.
Does anybody use -Q? If so, does anybody use it in a context where having a GUI up while the capture is in progress, but not after the capture stops, is useful? If so, where is it useful? If not, is there any reason not to use TShark or dumpcap instead?