Wireshark-bugs: [Wireshark-bugs] [Bug 2234] Filtering tshark captures with display filters (-R)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234
--- Comment #1 from Jeff Morriss <jeff.morriss@xxxxxxxxxxx> 2008-01-31 23:02:16 GMT ---
Yes, this is actually the expected behavior now. As a result of the work done
for privilege separation the (small, reasonable to run setuid-root) tool doing
the capturing (dumpcap) is also writing out the files.
tshark then reads that file in so it can display the output (when not using
"-w" to write the file).
When using "-w" to write the file, well, tshark actually doesn't do anything
but print statistics(?).
There was a lot of discussion about this at the time but, IIRC, the
consensus(?) basically was:
- we absolutely needed priv sep (Wireshark has way too much code to all be
running as root, especially since it's looking at potentially malicious network
traffic)
- it's more important that dumpcap be fast so that it doesn't drop packets than
to keep read filters while capturing to a file (that's why it writes the files
directly rather than trying to send the packets to Wireshark/tshark through a
pipe)
Probably due to the controversy of some of that we never got around to
preventing "-R" from working with "-w".
I suppose this bug should at least do that.
--
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.