Wireshark-dev: Re: [Wireshark-dev] tshark: drop features "dump to stdout" and "read filter"
From: Michael Tuexen <[email protected]>
Date: Tue, 9 Oct 2007 09:41:56 +0200
Ah, I see. I agree.

Best regards
Michael

On Oct 9, 2007, at 9:35 AM, Ulf Lamping wrote:

Michael Tuexen schrieb:
What is a read filter?
A not so well known feature ;-)

Read filters are using the same syntax as display filters (and therefore
the whole complex filter engine), and drop packets "already in memory"
before they are written to the capture file. That was possible in the
old capturing mechanism, as it was build "all in one program".

With the current changes, dumpcap writes the capture file with a
complete absence of that complex filtering engine (well, that's in fact
the privilege seperation!), so there's no chance to do that kind of
filtering.
I think we should continue to support the
capture filters.

No question about that.

Regards, ULFL
_______________________________________________
Wireshark-dev mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-dev