Wireshark mailing list archives
Re: Multiple interface capture device support in dumpcap
From: Stephen Donnelly <stephen.donnelly () endace com>
Date: Thu, 7 Jun 2012 10:49:34 +1200
On 06/06/12 22:03, Guy Harris wrote:
On Jun 5, 2012, at 8:04 PM, Stephen Donnelly wrote:I've posted an 'experimental' patch/hack to dumpcap in Bug #7300. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300 The dumpcap implementation assumes that there is a one-to-one mapping between capture sources (pipe or pcap device) and physical interfaces, and so assigns one pcap-NG 'Interface Id' per source. This is fine for conventional capture sources, but does not support devices that represent more than one physical interface well....such as the Linux "any" device.
Good point, this is another case. Could PPI records come from multiple physical interfaces as well?
Does the linux 'any' device include a pseudo-header to indicate which interface each frame was captured on?
Is there a way to determine (before capture starts) how many interfaces will be captured from, or any details about them? This may require a new libpcap API.
Stephen. -- ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- Multiple interface capture device support in dumpcap Stephen Donnelly (Jun 05)
- Re: Multiple interface capture device support in dumpcap Guy Harris (Jun 06)
- Re: Multiple interface capture device support in dumpcap Stephen Donnelly (Jun 06)
- Re: Multiple interface capture device support in dumpcap Guy Harris (Jun 06)