That is exactly what I'm after in Wireshark.
I just want Wireshark to throw away all packets that don't match a
display filter, like the -R option in tshark.
Otherwise Wireshark will save a lot of uninteresting packets in memory
or in a file, which slows down further searches in the captured data.
Right now, an equivalent to the -R option in tshark seems missing in
wireshark.
/Petter
Jaap Keuter skrev:
Hi,
Your conclusion that what isn't displayed isn't captured is incorrect.
Lets get into the details, shall we?
First there's the capture engine, then the processing and then the display.
The capture filter determines what's presented to the processing part.
The display filter determines what's presented to the end user.
This is the same for both WS as for TS.
As you can see, when you set a display filter all packets do get
captured and processed, but not presented to the end user (or put in an
output file for that matter).
Thanx,
Jaap
Petter Strandmark wrote:
Hi,
Using tshark I am able to only capture packets matching a certain display
filter (-R option). This is very useful when I want to capture specific
information over a long period of time on a high-traffic network.
Isn't this possible in wireshark? If it isn't, why not? Capture filters
are useful, but display filters can be so much more specific.
/Petter
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users