Here's an updated proposal for potential 'final' behaviour:
===
Tshark and wireshark both have -R for read filter and -d for display filter.
-R filtering is done on initially reading the file and prevents the
rejected packet from being added to the frame data list and other such
structures.
-d filtering is done when displaying, and has no effect on the
internal dissection at all (note this does not force 2 passes).
Tshark's current -d is moved to -A (for "decode As") to make room for
the new -d (which is then consistent with wireshark's -d).
Tshark keeps -2 effectively as it already exists.
===
If -2 is specified, read filters are applied during first pass,
display filters during second pass. If -2 is not specified then both
filters are applied during first pass (but read filter is still
applied first). This naturally follows from the above definitions.
This means that in 1-pass mode there is little difference between -R
and -d. The -2R combination also continues behaving oddly. Both of
these are unusual cases though.
Just to spell it out, under this proposal a user would say -2d instead
of the current -Y.
Thoughts?
Evan
