Wireshark mailing list archives
Re: pcapng / interface names / OPT_IDB_NAME
From: Harald Welte <laforge () gnumonks org>
Date: Sat, 24 Oct 2020 18:59:51 +0200
Hi Chris, thanks for your input. On Fri, Oct 23, 2020 at 04:13:17PM +0000, Maynard, Chris via Wireshark-dev wrote:
I'm currently facing a problem where I need to create pcap files of about 26 network devices in parallel. 24 of those are hdlcX devices (by Linux kernel hdlc_fr), while two are Ethernet devices. So there are different link types, but I doubt this matters for the remainder of the discussion.It matters if you intend to merge different capture files together with different DLT's, in which case you'll most definitely want to use the pcapng format to retain the different interfaces and not the pcap format, which supports only a single encapsulation per file.
I was imprecise. In the above sentence, replace "I need to create pcap files" with "I need to create packet captures in whatever format supported by wireshark". So pcap-ng is perfectly fine here.
The resulting capture file should of course indicate on which particular interface a given packet was sent or received.If you use pcapng, it will.
great.
Furthermore, when starting a cooked Linux capture on the Linux 'any' device, it also appears wireshark is not displaying the information about which netdevice the message was captured.Instead of capturing on the "any" interface, you can specify multiple occurrences of the "-i" option for each interface you intend to capture from. Yes, this makes the command-line longer and initially more tedious to construct, especially if you have a large number of interfaces.
Ok, will try that, thanks. Didn't know it was possible, to be honest.
As far as I know, on AF_PACKET sockets one can do recvmsg() and will then get a sockaddr_ll structure alongside the actual packet, which contains the ifindex of the underlying network deivce. Together with the usual sockopt or netlink based method that can be trnaslated to a device name. Am I missing something? Is there a specific reason why this information is not obtained/displayed or written when writing an output file, even in pcap-ng mode?It should be written, just don't capture on the "any" interface.
Thanks, I hear you. However: I'm wondering why that is. Is there any fundamental reason for it? As I stated above, an AF_PACKET socket does not have to be bound to a specific interface (see "man 7 packet") and when recvmsg() is used, you will get the interface index of the interface on a per-packet basis. Am I misunderstanding the capabilities of AF_PACKET sockets? Or is this simply something wireshark never implemented, but it could very well be added. In the latter case, I might be tempted to try cooking up a patch. -- - Harald Welte <laforge () gnumonks org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- pcapng / interface names / OPT_IDB_NAME Harald Welte (Oct 17)
- Re: pcapng / interface names / OPT_IDB_NAME Maynard, Chris via Wireshark-dev (Oct 23)
- Re: pcapng / interface names / OPT_IDB_NAME Harald Welte (Oct 24)
- Re: pcapng / interface names / OPT_IDB_NAME Guy Harris (Oct 23)
- Re: pcapng / interface names / OPT_IDB_NAME Harald Welte (Oct 24)
- Re: pcapng / interface names / OPT_IDB_NAME Guy Harris (Oct 24)
- Re: pcapng / interface names / OPT_IDB_NAME Harald Welte (Oct 25)
- Re: pcapng / interface names / OPT_IDB_NAME Harald Welte (Oct 24)
- Re: pcapng / interface names / OPT_IDB_NAME Maynard, Chris via Wireshark-dev (Oct 23)