I am using the Wireshark 2.0.3 .While using tshark it is seen that frame numbers for unfiltered data and filtered data for the same packets are appearing different. The command that I am giving is as follows: tshark -r test.pcap
which will produce unfiltered data from the capture file
and
tshark -r test.pcap -R "...some criteria..." -2
which will give filtered data. On comparing the frame numbers it is seen that frame numbers for the same packets (with same time stamp,ttl ,seq num etc)are different. This happens only on second pass analysis. If I do a Single pass analysis
tshark -r test.pcap -Y "...some criteria..."
frame numbers are consistent.
Is it supposed to work this way? Or is it a Bug ?
Thanks and Best Regards, Akshay
