 | 1 | initial version |
It is supposed to work this way.
-Y is used to specify a display filter, so while all packets are read from the capture file, only the packets matching the specified display filter criteria are displayed. This means all frame numbers shown are the original frame number from the file.
Contrast this with -R, which specifies a read filter. This means that only those packets matching the specified read filter criteria are read from the file. As such, the frame number are renumbered because non-matching packets are essentially treated as if they weren't part of the capture file to begin with.
Read more about display filters vs. read filters on the tshark man page.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
