A read filter is the same syntax/mechanics as a display filter, but is applied to the frames/packets in the capture file before they are put in that list, and only the packets which match the read filter are added to that list at all. When you clear that display filter, all the frames show up again (in Wireshark obviously, since in tshark you can't clear it afterwards since there is no "afterwards").īut both Wireshark and tshark also support a read filter. With a display filter applied, the frame numbers (packet numbers) you see in the left-most column will likely not be sequential, but will instead only be for the packets that matched the display filter. When you apply a display filter, it filters out packets from that list, to only show you the things that matched the display filter. (if by "time value" you mean Arrival Time or Epoch Time)Ĭan you post your capture file somewhere?įor your second question of what the difference is between -R -2 and -Y:įor both Wireshark and tshark, when they read the contents of a capture file they build an internal list of the frames (i.e., packets) in it. What tshark/wireshark version are you running? I tried that command and did not get a time value of 0.
0 kommentar(er)
