Wireshark-dev: Re: [Wireshark-dev] Capturing on multiple interfaces [FEATURE REQUEST]
Andreas Fink wrote:
Apparently its possible on some platforms to capture on all interfaces
(tcpdump on linux does this).
under MacOS X, however only the first interface is used. This means
running tcpdump or dumpcap twice and merging the files later together if
you want to capture dualhomed traffic (like SCTP).
Suggestion: fix dumpcap to accept something like -i en0 -i en1 or -i
en0,en1. In the fist case it does take the last passed interface.
Or maybe fix libpcap to take all interfaces on MacOS X if none is specified?
Linux supports opening a PF_PACKET socket and not binding it to a
particular interface; that's how the "any" device is implemented.
Systems using BPF don't support opening a BPF device and not binding it
to a particular device, which is why there's no "any" device on *BSD or
OS X (or Solaris or HP-UX or Tru64 UNIX or Irix or Windows) - it's
fairly simple to do on Linux, but much more complicated on other platforms.
An additional problem is that, on Linux, you can open a PF_PACKET socket
as a SOCK_DGRAM socket, so that you get only the payload, not the
link-layer header; libpcap does that for the "any" device, and then
synthesizes a fake link-layer header for them. There's no equivalent in
BPF, so that would either need pcap-NG format (to support multiple
link-layer types in one capture), or perhaps DLT_PPI (again, to support
multiple link-layer types in one capture), or code in libpcap to discard
the link-layer headers and synthesize a link-layer header.
In the case where all the interfaces are supplying packets with the same
link-layer header type, libpcap could, in principle, implement such a
mechanism, at least when you're running in blocking mode, although it'd
require that a pcap_t structure have multiple file descriptors, and that
waiting for packets to arrive and reading them be done with a select() loop.
Probably the best way to do that would be in dumpcap; much of the pcap
API (such as non-blocking mode and selecting on a descriptor) couldn't
be made to work with more than one BPF device.
(In addition, note that "all interfaces" would mean "all interfaces
present at the time you start the capture" unless you have the main loop
also catch the arrival and departure of, for example, PPP interfaces
that appear when you dial up or set up a VPN.)