 | 1 | initial version |
Oh, right, sorry, I missed that you were capturing from a pipe. <sigh> I read too quickly these days... (Thanks Chris.)
The issue with capture filters is capture filters are normally implemented in the kernel; Wireshark/tshark doesn't have to deal with it. When reading from a pipe BPF isn't involved so something in userspace (libpcap?) would have to re-implement the filtering.
And, as bug 2234 describes, display filtering happens in a separate process than the one doing the capturing and writing the file.
So, no, there isn't a good solution. You'll probably have to post-process the files to do the filtering (painful, I know).
Hmm, can I now downvote my old (bogus) answer? I'll find out...
