Wireshark-bugs: [Wireshark-bugs] [Bug 6718] Wiretap API needs to handle pcap-NG ISB blocks
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718
--- Comment #8 from Jose Pedro Oliveira <jpo@xxxxxxxxxxxx> 2012-03-05 11:38:32 PST ---
(In reply to comment #7)
> (In reply to comment #6)
> > (In reply to comment #5)
> > > Status update as of rev41328:
> > >
> > > Steps:
> > > 1) cd ~/sandbox/wireshark-1.7.1-SVN-41328
> > > 2) ./dumpcap -i p132p1 -f tcp -i lo -i p3p1 -f udp -c 1 -w rev41328.pcapng
> > > 3) ./tshark -r rev41328.pcapng -w n.pcapng
> > > or
> > > ./editcap -T ether rev41328.pcapng n.pcapng
> > >
> > > Result (n.pcapng)
...
> > > * the IDB if_filter option is being dropped
...
> if_filter should survive reading and writing by dumpcap/wireshark as of 41352
> note that if_filter is not a string "..The first byte of the Option Data keeps
> a code of the filter used..." dumpcap/wireshark treated it as a string the ntar
> library might as well...
Anders,
Thanks for the update.
Still regarding the if_filter option: should we allow this option to be
repeated? I'm asking this because I think it should be a good idea to also
store the wireshark's display filters.
tshark -R "<display filter here>" -r in.pcapng -w out.pcapng
Would it make sense to allow n display filters (keep the ones in the source
file add add the new one to the output file) ?
tshark -R "<second display filter here>" -r out.pcapng -w out2.pcapng
Note: The display filter needs to be registered ( 0 = lipbpcap filter string, 1
= libpcap byte code, 2 = wireshark display filter string ? )
/jpo
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
