diff options
| author | Evan Huus <eapache@gmail.com> | 2013-03-27 17:14:42 +0000 |
|---|---|---|
| committer | Evan Huus <eapache@gmail.com> | 2013-03-27 17:14:42 +0000 |
| commit | d935a280e35055222e49299c47ecabdd820c5462 (patch) | |
| tree | d5f4dfa48e46083ae9e8dd99488d52d19e6f3f24 /doc/tshark.pod | |
| parent | 0d2e02954f2452ca05f8f884044380077a941dd8 (diff) | |
From Hadriel Kaplan via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8223
Add a 2-pass display-filter flag to tshark so that reassembly and other forward-
looking dissections can be used with filters.
It's a bit of a hack, but this entire area of 2-pass analysis etc. is a giant
pile of hacks to begin with and needs cleaning up. For now just having this
feature is a big enough win.
svn path=/trunk/; revision=48589
Diffstat (limited to 'doc/tshark.pod')
| -rw-r--r-- | doc/tshark.pod | 25 |
1 files changed, 23 insertions, 2 deletions
diff --git a/doc/tshark.pod b/doc/tshark.pod index 1a8c1c1036..8d30b0446a 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -35,7 +35,8 @@ S<[ B<-P> ]> S<[ B<-q> ]> S<[ B<-Q> ]> S<[ B<-r> E<lt>infileE<gt> ]> -S<[ B<-R> E<lt>read (display) filterE<gt> ]> +S<[ B<-R> E<lt>Read filterE<gt> ]> +S<[ B<-Y> E<lt>displaY filterE<gt> ]> S<[ B<-s> E<lt>capture snaplenE<gt> ]> S<[ B<-S> E<lt>separatorE<gt> ]> S<[ B<-t> ad|a|r|d|dd|e ]> @@ -611,13 +612,33 @@ Read packet data from I<infile>, can be any supported capture file format (including gzipped files). It's B<not> possible to use named pipes or stdin here! -=item -R E<lt>read (display) filterE<gt> +=item -R E<lt>Read filterE<gt> Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file; packets not matching the filter are discarded rather than being printed or written. +See the '-Y' option for information about using this at the same time the +'-Y' option is used. + +=item -Y E<lt>displaY filterE<gt> + +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing a +decoded form of packets or writing packets to a file. Packets matching the +filter are printed or written to file; packets that the matching packets +depend upon (e.g., fragments), are not printed but are wrtitten to file; +packets not matching the filter nor depended upon are discarded rather +than being printed or written. This mode also performs a two-pass +analysis as is done with the '-2' option, without needing '-2' to be set. + +If the '-R' read filter option is also set, then the read filter is applied +first, and only packets passing that will be considered for the display +filter, including dependent packets. In other words, if the '-R' filters +out fragments, they will not be included even if a packet matching the +display filter depended on the fragments. + =item -s E<lt>capture snaplenE<gt> Set the default snapshot length to use when capturing live data. |