Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and "read filter"
From: Ulf Lamping <[email protected]>
Date: Tue, 09 Oct 2007 09:35:21 +0200
Michael Tuexen schrieb:
What is a read filter?
A not so well known feature ;-)

Read filters are using the same syntax as display filters (and therefore the whole complex filter engine), and drop packets "already in memory" before they are written to the capture file. That was possible in the old capturing mechanism, as it was build "all in one program".
With the current changes, dumpcap writes the capture file with a 
complete absence of that complex filtering engine (well, that's in fact 
the privilege seperation!), so there's no chance to do that kind of 
filtering.
I think we should continue to support the
capture filters.
No question about that.

Regards, ULFL