bug: Display filters do not work on live capture about termshark HOT 2 CLOSED

Hi - this bug worries me. On linux, changing the display filter during a live capture seems to work. Maybe it was too much to hope that things would just work across platforms. Unfortunately I don't have a mac to test on - a friend of mine exercised termshark for me on macOS before I pushed v1. Maybe I need to spring for a mac!

On my linux machine, here are the processes that are started by termshark when doing a live capture:

gcla 2569 0.0 0.0 64804 5924 pts/13 S+ 22:37 0:00 dumpcap -P -i wlan0 -w /home/gcla/.cache/termshark/wlan0-776447025.pcap
gcla 2570 0.3 0.3 361928 115736 pts/13 S+ 22:37 0:00 tshark -T psml -o gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i" -i - -l -d udp.port==2075,cflow -d udp.port==9191,cflow -d udp.port==2055,cflow -d udp.port==2095,cflow
gcla 2571 0.0 0.0 7512 856 pts/13 S+ 22:37 0:00 tail -f -c +0 /home/gcla/.cache/termshark/wlan0-776447025.pcap
gcla 2593 0.0 0.0 62496 5040 pts/13 S+ 22:37 0:00 /usr/bin/dumpcap -n -i - -Z none

I'm running grep -i 'tshark|tail|dumpcap'. In the process list above, ignore the second dumpcap for now.

If I change the filter and hit apply, I see

gcla 2569 0.0 0.0 64804 5924 pts/13 S+ 22:37 0:00 dumpcap -P -i wlan0 -w /home/gcla/.cache/termshark/wlan0-776447025.pcap
gcla 4022 1.0 0.3 361932 115580 pts/13 S+ 22:38 0:00 tshark -T psml -o gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i" -i - -l -Y ssdp -d udp.port==2075,cflow -d udp.port==9191,cflow -d udp.port==2055,cflow -d udp.port==2095,cflow
gcla 4023 0.0 0.0 7512 808 pts/13 S+ 22:38 0:00 tail -f -c +0 /home/gcla/.cache/termshark/wlan0-776447025.pcap
gcla 4046 0.0 0.0 62496 4896 pts/13 S+ 22:38 0:00 /usr/bin/dumpcap -n -i - -Z none

So you don't have to squint at that, (1) the first-listed dumpcap process is left alone (pid the same) - it reads from the selected interface and saves to a pcap in the cache dir, and (2) the other processes are restarted - tail to read from the cached pcap and feed it to tshark to generate PSML. You can see the "ssdp" filter I applied in there next to the -Y argument.

I'm not sure what's happening on macOS - maybe I'm failing to kill and restart the tail and tshark -T psml processes. Maybe you'll be able to tell with the info above? If the kill commands failed, there should be something in the log file - on macOS I believe it's under ~/Library/Caches/.

Thanks again for these bug reports.

from termshark.

This is a Wireshark bug. When I filter by "TCP", I see TCP and ICMP traffic in both tshark and termshark.

This is what I was seeing: https://superuser.com/questions/964134/is-icmp-port-unreachable-error-generated-by-both-tcp-and-udp

from termshark.