On Jun 28, 2011, at 8:31 AM, Michael Tüxen wrote:
> On Jun 28, 2011, at 4:45 AM, Guy Harris wrote:
>
>>
>> On Jun 27, 2011, at 12:13 PM, Michael Tüxen wrote:
>>
>>> It is fixed in r37806. The currently
>>> tshark -i lo0 -i en0 -f icmp sctp
>>> will use sctp as the default capture filter. This means that the above is the same as
>>> tshark -f sctp -i lo0 -i en0 icmp
>>> or
>>> tshark -i lo0 -f sctp -i en0 icmp
>>
>> So does a "-f" filter apply to the interface specified immediately *before* the "-f" flag or to the interface specified immediately *after* the "-f" flag?
> A "-f" filter specified before the first interface is the default filter.
> A "-f" filter specified not before the first interface applies only the the
> interface immediately before the "-f" flag.
> I'm currently not enforcing that a given default is actually used for at
> least one interface.
>
> This applies to tshark, dumpcap, and wireshark. Only tshark supports a final
> filter argument. So currently I use it as another way of specifying a default
> and consider it an error to give the default twice (once with an initial -f
> and another time with the argument).
>
> However, this makes "tshark -i lo0 -f icmp sctp", which is invalid in earlier
> versions.
>>
>> And are users likely to remember which one is the case, and are most or all of them likely to consider one of the two the "obvious" right answer?
> I could imagine that users using the filter argument expect the filter
> to be used on each interface. So it might make sense to require that
> no -f argument is given at all when using the filter argument. This would
> also make "tshark -i lo0 -f icmp sctp" invalid as it is in earlier versions.
>
> Could you live with that?
I have committed a fox to use the above semantic after thinking about it.
I you can't live with that, we can change it.
Best regards
Michael
>
> Best regards
> Michael
>>
>>> However,
>>> tshark -i lo0 -f sctp icmp
>>> does not result in an error anymore.
>>> If we want to keep that behavior, then we must require that no interface specific
>>> capture filter is used when the filter as an argument is given. Which behavior
>>> do you prefer?
>>
>> Report an error off
>>
>> 1) a default capture filter was supplied
>>
>> but
>>
>> 2) all interfaces on which you're capturing had explicit capture filters supplies, so that the default capture filter doesn't apply to any interfaces.
>> ___________________________________________________________________________
>> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
>> Archives: http://www.wireshark.org/lists/wireshark-dev
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>>
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
