'Re: [Wireshark-users] tshark: Difference between -R and -Y'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] tshark: Difference between -R and -Y
From:       Evan Huus <eapache () gmail ! com>
Date:       2014-01-08 0:30:45
Message-ID: CAOYNdEL8K1-GuN0aiRU8nuaXR-sn_7rryM2atiF+ZHyfthrPng () mail ! gmail ! com
[Download RAW message or body]

On Tue, Jan 7, 2014 at 7:22 PM, Joerg Mayer <jmayer@loplof.de> wrote:
> On Sun, Jan 05, 2014 at 07:30:04PM -0500, Evan Huus wrote:
>> Live capture with two-pass dissection is effectively undefined
>> behaviour at this point (I'm surprised you're seeing any packets at
>> all to be honest).
>
> Ah, OK. As some "invalid" cases (-R without -2) are rejected I expected
> that this was a valid combination.

Whoops. I added an explicit error message in r54643.

Evan

>> Everything should work as expected when reading from a capture file.
>
> It does.
>
> Thanks!
>     Jörg
>
>> On Sun, Jan 5, 2014 at 4:21 PM, Joerg Mayer <jmayer@loplof.de> wrote:
>> > I just found out that I don't understand what -R does.
>> >
>> > If I run
>> > tshark -2 -R "udp.port==53" -i wlan0
>> > then it seems that I see all packets (arp, dns, lldp, ...)
>> > if I instead run
>> > tshark -2 -Y "udp.port==53" -i wlan0
>> > I only see dns.
>> > The manpage is not helpful either to explain what I am seeing
>> > (snv HEAD / r54612)
>> >
>> > Can someone please explain what is going on here?
>
> --
> Joerg Mayer                                           <jmayer@loplof.de>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic