Wireshark-bugs: [Wireshark-bugs] [Bug 6718] Wiretap API needs to handle pcap-NG ISB blocks
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=6718
--- Comment #9 from Anders Broman <anders.broman@xxxxxxxxxxxx> 2012-03-05 11:56:52 PST ---
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > (In reply to comment #5)
> > > > Status update as of rev41328:
> > > >
> > > > Steps:
> > > > 1) cd ~/sandbox/wireshark-1.7.1-SVN-41328
> > > > 2) ./dumpcap -i p132p1 -f tcp -i lo -i p3p1 -f udp -c 1 -w rev41328.pcapng
> > > > 3) ./tshark -r rev41328.pcapng -w n.pcapng
> > > > or
> > > > ./editcap -T ether rev41328.pcapng n.pcapng
> > > >
> > > > Result (n.pcapng)
> ...
> > > > * the IDB if_filter option is being dropped
> ...
> > if_filter should survive reading and writing by dumpcap/wireshark as of 41352
> > note that if_filter is not a string "..The first byte of the Option Data keeps
> > a code of the filter used..." dumpcap/wireshark treated it as a string the ntar
> > library might as well...
>
> Anders,
>
> Thanks for the update.
>
> Still regarding the if_filter option: should we allow this option to be
> repeated? I'm asking this because I think it should be a good idea to also
> store the wireshark's display filters.
>
> tshark -R "<display filter here>" -r in.pcapng -w out.pcapng
>
> Would it make sense to allow n display filters (keep the ones in the source
> file add add the new one to the output file) ?
>
> tshark -R "<second display filter here>" -r out.pcapng -w out2.pcapng
>
> Note: The display filter needs to be registered ( 0 = lipbpcap filter string, 1
> = libpcap byte code, 2 = wireshark display filter string ? )
>
> /jpo
There is a thread just started on this subject on the developers mailing list.
I would propose a new option "shb_ws_display_filter" Wireshark display filter
string. Can occure multiple times.
One could the build a GUI item with a list of the filters, which can be
selected and applied. Possibly there should also be
"shb_ws_display_filter_comment" coupled to the display filter where one could
describe the filter.
--
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.