Re: Wireshark V1.8.0 - analysing dual NIC capture

[Guy Harris <guy () alum mit edu>]

On Jun 27, 2012, at 12:13 AM, Tamás Varga wrote:

> Hi Guy, is this also means that there is no way today to display or filter packets based on the interface they have 
> been captured? /Tamas

I'm not sure what you're asking, but if you mean "does this also mean that you can't construct a display filter that 
matches only packets from some particular interface?", the answer is "no, it doesn't".  For pcap-ng capture files 
(which are the default when capturing), you can filter on the "frame.interface_id" field; its value is the numerical 
interface ID in the capture.  See the Statistics -> Summary window for a list of all the interfaces; the first one has 
an interface ID of 0, the second one has an interface ID of 1, etc..  You could also see it in the "Frame" section of 
the packet detail pane.

We should, if the interface has a name, display it in the Frame section, and support filtering on it as well.  (If you 
were to merge two captures, both of which had an interface named, for example, "eth0", but those were "eth0" interfaces 
on different machines, you wouldn't be able to distinguish between them by filtering on the interface name, but that's 
life.)

A *capture* filter specifying an interface would make sense only on the Linux "any" device; libpcap currently doesn't 
support that.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe