On Jun 27, 2011, at 12:13 PM, Michael Tüxen wrote:
> It is fixed in r37806. The currently
> tshark -i lo0 -i en0 -f icmp sctp
> will use sctp as the default capture filter. This means that the above is the same as
> tshark -f sctp -i lo0 -i en0 icmp
> or
> tshark -i lo0 -f sctp -i en0 icmp
So does a "-f" filter apply to the interface specified immediately *before* the "-f" flag or to the interface specified immediately *after* the "-f" flag?
And are users likely to remember which one is the case, and are most or all of them likely to consider one of the two the "obvious" right answer?
> However,
> tshark -i lo0 -f sctp icmp
> does not result in an error anymore.
> If we want to keep that behavior, then we must require that no interface specific
> capture filter is used when the filter as an argument is given. Which behavior
> do you prefer?
Report an error off
1) a default capture filter was supplied
but
2) all interfaces on which you're capturing had explicit capture filters supplies, so that the default capture filter doesn't apply to any interfaces.
