From d935a280e35055222e49299c47ecabdd820c5462 Mon Sep 17 00:00:00 2001 From: Evan Huus Date: Wed, 27 Mar 2013 17:14:42 +0000 Subject: From Hadriel Kaplan via https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=8223 Add a 2-pass display-filter flag to tshark so that reassembly and other forward- looking dissections can be used with filters. It's a bit of a hack, but this entire area of 2-pass analysis etc. is a giant pile of hacks to begin with and needs cleaning up. For now just having this feature is a big enough win. svn path=/trunk/; revision=48589 --- doc/tshark.pod | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) (limited to 'doc/tshark.pod') diff --git a/doc/tshark.pod b/doc/tshark.pod index 1a8c1c1036..8d30b0446a 100644 --- a/doc/tshark.pod +++ b/doc/tshark.pod @@ -35,7 +35,8 @@ S<[ B<-P> ]> S<[ B<-q> ]> S<[ B<-Q> ]> S<[ B<-r> EinfileE ]> -S<[ B<-R> Eread (display) filterE ]> +S<[ B<-R> ERead filterE ]> +S<[ B<-Y> EdisplaY filterE ]> S<[ B<-s> Ecapture snaplenE ]> S<[ B<-S> EseparatorE ]> S<[ B<-t> ad|a|r|d|dd|e ]> @@ -611,13 +612,33 @@ Read packet data from I, can be any supported capture file format (including gzipped files). It's B possible to use named pipes or stdin here! -=item -R Eread (display) filterE +=item -R ERead filterE Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file; packets not matching the filter are discarded rather than being printed or written. +See the '-Y' option for information about using this at the same time the +'-Y' option is used. + +=item -Y EdisplaY filterE + +Cause the specified filter (which uses the syntax of read/display filters, +rather than that of capture filters) to be applied before printing a +decoded form of packets or writing packets to a file. Packets matching the +filter are printed or written to file; packets that the matching packets +depend upon (e.g., fragments), are not printed but are wrtitten to file; +packets not matching the filter nor depended upon are discarded rather +than being printed or written. This mode also performs a two-pass +analysis as is done with the '-2' option, without needing '-2' to be set. + +If the '-R' read filter option is also set, then the read filter is applied +first, and only packets passing that will be considered for the display +filter, including dependent packets. In other words, if the '-R' filters +out fragments, they will not be included even if a packet matching the +display filter depended on the fragments. + =item -s Ecapture snaplenE Set the default snapshot length to use when capturing live data. -- cgit v1.2.3