An analyst uses 'tshark -r capture.pcap -Y "http.request.method == POST"' to display only HTTP POST requests. This is an example of a:
-Y applies a display filter to packets in the file.
Why this answer
The `-Y` flag in tshark applies a display filter, which operates on packets already read from the capture file. Display filters use a syntax based on protocol fields (e.g., `http.request.method == POST`) to show or hide packets in the output without altering the underlying capture data. This is distinct from capture filters, which discard packets at the kernel level before they are stored.
Exam trap
Cisco often tests the distinction between display filters (`-Y`) and capture filters (`-f`), trapping candidates who confuse the `-Y` flag with a capture filter because both can filter packets, but only capture filters discard data at the point of acquisition.
How to eliminate wrong answers
Option A is wrong because a statistical filter is not a standard tshark filter type; tshark offers capture, read, and display filters, but not a dedicated 'statistical filter' (statistics are generated via separate `-z` options). Option B is wrong because a read filter is applied with the `-R` flag (deprecated) or `-Y` in older contexts, but the official term for `-Y` is a display filter, and read filters are not a separate category in current Wireshark/tshark documentation. Option C is wrong because a capture filter uses the `-f` flag and BPF syntax (e.g., `tcp port 80`) to limit which packets are captured or read from a file; the `-Y` flag does not discard packets from the capture, it only filters the display.