Can we remove following tshark check?
==
main()
{
if (global_capture_opts.saving_to_file) {
if (dfilter != NULL) {
cmdarg_err("Display filters aren't supported when capturing and saving the captured packets.);
return 1; //remove this check to allow DF while capturing.
}
}
}
==
I was looking following command to work:
==
tshark -Y "udp.port==137" -f udp -x -w udp_all.pcap
==
Eg. Above command will capture and save all UDP packets and display only the ones with port as 137.
By removing above check I could get this to work, although I have not done thorough testing yet.
I am new to Wireshark development culture, so please let me know if we discuss such issues here or through bugs.
I did some investigation on why this restriction was put, looks like this was present from day 1 of display filter (-Y).
--
Thanks,
Avaneesh
