Wireshark · Wireshark-dev: Re: [Wireshark-dev] Allowing display filters during capture

[Sake Blok <sake@xxxxxxxxxx>]

On 13 mrt 2015, at 19:09, Guy Harris wrote:
> 
> On Mar 13, 2015, at 7:22 AM, Jeff Morriss <jeff.morriss.ws@xxxxxxxxx> wrote:
> 
>> That will work for your purpose.  The reason the check is there, however, is that most people seem to expect that applying the display filter would affect what messages are sent to the output file (udp_all.pcap).  (They may have that expectation because that's what would have happened in much older versions of Wireshark/Ethereal--before the existence of dumpcap.)
> 
> That was a long time ago; might it be possible now to realign those people's expectations to match what would be, and *should* be, reality?  (One might perfectly rationally want to do a capture of, say, all traffic between two given hosts and, while the capture is running, first look at the NFS traffic between them, and then at the HTTP traffic between them, and then go back to looking at all traffic between them, i.e. it makes perfect sense to allow the display of a live capture to be temporarily filtered without actually filtering set of *captured* traffic.)

I guess a warning that the filtering with -Y won't affect which packets are saved, and that -f would have to be used for that purpose, would suffice. This warning can even be suppressed when there is a combination of -Y and -f filters.