On Mar 3, 2013, at 9:57 AM, Evan Huus <eapache@xxxxxxxxx> wrote:
> For consistency, I would suggest that both tshark and wireshark take
> only two filter flags:
> -d using wireshark dfilter syntax
> -f using libpcap syntax
>
> Tshark's -d uses only one pass unless -2 is specified. In either case
> it should behave as close as possible to Wireshark's display filter.
> This would mean moving tshark's current -d flag to something else (-R
> would be available, though it wouldn't make a lot of sense).
What would *really* be nice is to make most of this logic be the same physical code and in one place, in file.c, and make tshark just handle the viewing aspects being different. I.e., as an MVC model make both Wireshark and tshark share the same Model *and* Controller as much as possible/reasonable. Of course deciding what's reasonable vs. confusing is always the hard part. :)
-hadriel
