Ethereal-dev: Re: [Ethereal-dev] Capturing from multiple interfaces, and why we need this.
On Sun, 1 Feb 2004, Ulf Lamping wrote:
> Hi List!
>
> Currently, Ethereal can only capture from one interface at once.
>
> To be able to capture on a full duplex Ethernet without interfering the
> net, you have to think about how to do this.
> As some of my colleques are doing network troubleshooting, they have a
> problem here.
> [deleted]
> c) add a network tap
>
> To c): a network tap is plugged between a switch and the device under
> test and
> will be (almost) passive to the measured network. It will hand out both
> directions of the full duplex connection with two
> ethernet plugs. So if you want to capture now, you must do this from two
> ethernet interface at once.
I can see that it might be possible under UNIX to use select or poll and
to open up several /dev/bpfN devices, however, things might get difficult.
Another possible approach might be to modify the Berkeley Packet Filter
code to allow capture on multiple interfaces with the same filter
applying.
However, some issues that arise are:
1. Do we want separate capture filter expressions for each interface and
if so, how do we support that. If not, does this make life difficult for
people using the facility in coming up with a capture filter expression
that is flexible enough for what users want to do.
2. How much more complex will the code be if we add either of the above
two approaches and how long will it take to get things done.
3. Which of the above two approaches is going to be more difficult,
considering that some UNIX OSes have their own non-BPF capture mechanisms
etc.
Regards
-----
Richard Sharpe, rsharpe[at]richardsharpe.com, rsharpe[at]samba.org,
sharpe[at]ethereal.com, http://www.richardsharpe.com
