Wireshark-users: Re: [Wireshark-users] Is it a bug with Wireshark?
Date: Tue, 15 Apr 2008 08:13:07 -0400
Guy Harris wrote:
Jason wrote:

However, the OP of this thread appeared to be talking about using '-R' to set the Display Filter in wireshark during an autostarted, '-k', live capture. So, we're not looking for setting a capture filter with '-R' like tshark does for reading files. Only to set the Diplay Filter when autostarting. Maybe it should have a different switch, to clarify it.

Given that the "R" in "-R" stands for "read", as in "read filter", as in "filter that's applied when reading packets", that would be the wrong flag for a *display* filter that's not applied when Wireshark initially reads in the packets - i.e., a "set the display filter" flag wouldn't cause packets that don't match the filter to be discarded when the capture is being read, it would just cause them not to be displayed - clearing the display filter would show those packets.

mmmmm, suddenly '-y' and '-k' make perfect sense ;-)

Since '-D' is taken by:

  -D                       print list of interfaces and exit

how about '-d'?  Like so:

Processing:
  -R <read filter>         packet filter in Wireshark display filter syntax
  -d <display filter>      set display filter on start (def: none)
  -n                       disable all name resolutions (def: all enabled)
  -N <name resolve flags>  enable specific name resolution(s): "mntC"

I had a patch which used the display filter compiler on the '-R' argument and set the running display filter. Unfortunately, I might have wiped it during a recent cleanup. It wasn't too difficult. iirc, it was all in gtk/main.c I had some trouble (I think with the gtk side of it) that it wouldn't always show the text of the filter in the Display Filter text entry box...

Jason.