Ethereal-dev: Re: [Ethereal-dev] Capturing from multiple interfaces at once ...
On Fri, Apr 12, 2002 at 02:42:37AM +0930, Richard Sharpe wrote:
> On Thu, 11 Apr 2002, Andrew C. Feren wrote:
> > Would it be sufficient to run [t]ethereal once on each interface and
> > merge the captures with mergecap after the fact?
>
> Hmmm, no, I want to preserve, as much as possible, the timing
> relationship between packets on the two interfaces without guess work.
You would not get a much better timing relationship by capturing on both
interfaces at once than by running two instances of (tcpdump, Ethereal,
Tethereal, etc.) and merging the captures.
Except perhaps on Linux with the "any" device, were (tcpdump, Ethereal,
Tethereal, etc.) to capture on more than one interface, it would, in
effect, be merging two separate capture streams, as Linux is the only OS
on which you can get packets from multiple devices from the same file
descriptor/handle. On any other OS, you'd have to open multiple capture
streams, do something such as a "select()" or "poll()" or
"WaitForMultipleObjects()" call to wait for one or more to have packets
available, and read from all the active ones separately, merging the
packets into one stream.
> Also, I guess I should come clean. I want this for FreeBSD. I could
> probably hack tcpdump to capture from both interfaces at ones ...
You could, but note that on versions of FreeBSD prior to 4.5, "select()"
and "poll()" don't work right on BPF devices. (And, on 4.4,
non-blocking mode doesn't, I suspect, work in ways that allow you to
use the standard work-around for that long-standing BSD bug.)
