Wireshark · Wireshark-users: Re: [Wireshark-users] tshark: Difference between -R and -Y

Wireshark-users: Re: [Wireshark-users] tshark: Difference between -R and -Y

Date: Sun, 5 Jan 2014 19:30:04 -0500

Live capture with two-pass dissection is effectively undefined
behaviour at this point (I'm surprised you're seeing any packets at
all to be honest).

Everything should work as expected when reading from a capture file.

Evan

On Sun, Jan 5, 2014 at 4:21 PM, Joerg Mayer <jmayer@xxxxxxxxx> wrote:
> Hello,
>
> I just found out that I don't understand what -R does.
>
> If I run
> tshark -2 -R "udp.port==53" -i wlan0
> then it seems that I see all packets (arp, dns, lldp, ...)
> if I instead run
> tshark -2 -Y "udp.port==53" -i wlan0
> I only see dns.
> The manpage is not helpful either to explain what I am seeing
> (snv HEAD / r54612)
>
> Can someone please explain what is going on here?
>
> Thanks
>     Jörg
> --
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-users] tshark: Difference between -R and -Y
  - From: Joerg Mayer

References:
- [Wireshark-users] tshark: Difference between -R and -Y
  - From: Joerg Mayer

Prev by Date: [Wireshark-users] tshark: Difference between -R and -Y
Next by Date: [Wireshark-users] [HITB-Announce] HITB Magazine Issue 10 Out Now
Previous by thread: [Wireshark-users] tshark: Difference between -R and -Y
Next by thread: Re: [Wireshark-users] tshark: Difference between -R and -Y
Index(es):
- Date
- Thread