Wireshark-dev: Re: [Wireshark-dev] capturing on multiple interfaces
From: Tyson Key <tyson.key@xxxxxxxxx>
Date: Thu, 21 May 2009 20:12:56 +0100
Hi Michael, I've sent you some samples off-list. I hope they're of use.

Thanks,
Tyson

On Thu, May 21, 2009 at 7:54 PM, Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx> wrote:
On May 21, 2009, at 8:01 PM, Tyson Key wrote:

> Hi. I'm not sure what the problem was, although changing the
> directory to the directory that the capture files are to be stored
> in, and doing "sudo ../wireshark-1.1.4-SVN-28436/dumpcap -n -s 0 -w
> Wifi3 -i wlan0" did the trick nicely.
>
> A great job with the implementation by the way, so far. I managed to
> create an ersatz multi-link-type file by cat-ing together a file
> with 802.11 packets, one with USB packets, and one with Linux Cooked
> packets from a PPP device, and Wireshark handled them perfectly
> (barring some timestamp strangeness - the appended packets have
> negative timestamps, although I'd expect that sort of behaviour,
> given that there are multiple "reference" timestamps, and an issue
> with the USB dissector (gives "Warn Dissector bug, protocol USB, in
> packet 104: packet-usb.c:1702: failed assertion
> "DISSECTOR_ASSERT_NOT_REACHED"" although it's probably a known
> issue)), if anyone's interested.
Can you send me the tracefile privately? I would like to have a look
at the timestamp problem...
>
>
> Thanks,
> Tyson.
>
> On Thu, May 21, 2009 at 6:51 PM, Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx
> > wrote:
> On May 21, 2009, at 7:24 PM, Tyson Key wrote:
>
> > Hi again, Michael. Probably a stupid question, and I'm not sure if
> > it's a bug or not, but any idea why I'd get "The file to which the
> > capture would be saved ("../pcapng/U1") could not be opened:
> > Permission denied." when trying to write a pcap-ng file to any
> > directory other than the default one (/tmp), even as root, and when
> > a directory has it's permission bits set to 777?
> Not sure what the problem could be. I can run
> ./dumpcap -n -w test.pcapng -i lo0 -p
> without any problem...
> >
> >
> > Thanks in advance,
> > Tyson.
> >
> > On Thu, May 21, 2009 at 5:24 PM, Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx
> > > wrote:
> > On May 21, 2009, at 5:17 PM, Tyson Key wrote:
> >
> > > Hi Michael. This is fantastic news to hear!
> > > Will it eventually support non-Ethernet, and mixed link types in
> the
> > > same file (e.g. mmapped Linux USB and Ethernet), out of interest?
> > Yes, it should be possible to capture from multiple interfaces of
> link
> > types
> > which are supported today (so I do not add new link types). For
> > supporting
> > multiple link types, I had to add pcapng support, which is already
> > there...
> >
> > Best regards
> > Michael
> >
> > >
> > >
> > > Thanks,
> > > Tyson.
> > >
> > > On Thu, May 21, 2009 at 1:11 PM, Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx
> > > > wrote:
> > > On May 21, 2009, at 12:02 PM, <chandra.kotikalapudi@xxxxxxxxx>
> > wrote:
> > >
> > > > Hi Michael,
> > > >
> > > > I have downloaded the source code from SVN. Can you please say
> how
> > > > to use dumpcap option -n to capture on interfaces x1, x2, x3
> > from x1
> > > > to xn.
> > > Currently you can capture only on one interface, so
> > > dumpcap -n -i en0
> > > should work.
> > > A future version will support
> > > dumpcap -n -i en0 -s 100 -i en1 -s 1000
> > > and so one, where you capture on en0 with snaplen 100 and on en1
> > with
> > > snaplen 1000.
> > > You will also be able to set a pe interface capture filter, link
> > type,
> > > promiscuous flag.
> > > I'll send a note to the dev list, when this stuff is working.
> > >
> > > Which platform are you using?
> > >
> > > Best regards
> > > Michael
> > >
> > > >
> > > >
> > > > Regards,
> > > > Chandra.
> > > >
> > > > -----Original Message-----
> > > > From: Chandra Sekhar kotikalapudi (WT01 - Telecom Equipment)
> > > > Sent: Thursday, May 21, 2009 3:20 PM
> > > > To: 'Developer support list for Wireshark'
> > > > Subject: RE: [Wireshark-dev] capturing on multiple interfaces
> > > >
> > > > Hi Michael,
> > > >
> > > > It is good to hear you have already working on it. Can you
> please
> > > > say in which svn version it is available so that I could do the
> > > > testing what ever possible?
> > > >
> > > > Thanks & Regards,
> > > > Chandra.
> > > >
> > > > -----Original Message-----
> > > > From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx
> > > > ] On Behalf Of Michael Tüxen
> > > > Sent: Thursday, May 21, 2009 2:52 PM
> > > > To: Developer support list for Wireshark
> > > > Subject: Re: [Wireshark-dev] capturing on multiple interfaces
> > > >
> > > > On May 21, 2009, at 8:59 AM, <chandra.kotikalapudi@xxxxxxxxx> <chandra.kotikalapudi@xxxxxxxxx
> > > >> wrote:
> > > >
> > > >> Hi Tyson,
> > > >>
> > > >> Thank you very much for the response.
> > > >> Is it possible to capture on desired 'x' interfaces in 'n'
> > > >> interfaces available using "dumpcap".
> > > > This is what I'm working on. The capture file will be stored
> > > > in .pcapng format...
> > > > Saving in .pcapng is already available in the svn version. Use
> the
> > > -n
> > > > option.
> > > > Testing it is highly appreciated...
> > > >
> > > > Best regards
> > > > Michael
> > > >
> > > >>
> > > >> Regards,
> > > >> Chandra.
> > > >> From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx
> > > >> ] On Behalf Of Tyson Key
> > > >> Sent: Monday, May 18, 2009 8:53 PM
> > > >> To: Developer support list for Wireshark
> > > >> Subject: Re: [Wireshark-dev] capturing on multiple interfaces
> > > >>
> > > >> Hi, Chandra.
> > > >> Assuming that all the devices you want to capture on uses the
> > same
> > > >> link type, there's an "any" pseudo-device on Linux that you can
> > > use.
> > > >> Sadly, it doesn't store information about the devices involved,
> > and
> > > >> the link type-specific headers are transformed into a "Cooked"
> > > >> format. You might want to investigate pcap-ng for that sort of
> > > stuff.
> > > >>
> > > >> Hope that helps,
> > > >> Tyson.
> > > >> On Mon, May 18, 2009 at 10:23 AM,
> > <chandra.kotikalapudi@xxxxxxxxx>
> > > >> wrote:
> > > >> Hi,
> > > >>
> > > >>
> > > >>
> > > >> We all know Wireshark can capture on different interfaces,
> can it
> > > be
> > > >> able to capture on all interfaces at once using Wireshark?
> > > >>
> > > >>
> > > >>
> > > >> If 'No' is the answer can any one help me in understanding how
> > > >> capturing is done using Wireshark?
> > > >>
> > > >> I could change the implementation accordingly for my needs to
> > > >> capture on all interfaces.
> > > >>
> > > >>
> > > >>
> > > >> Thanks in advance.
> > > >>
> > > >>
> > > >>
> > > >> Regards,
> > > >>
> > > >> Chandra.
> > > >>
> > > >>
> > > >>
> > > >> Please do not print this email unless it is absolutely
> necessary.
> > > >>
> > > >> The information contained in this electronic message and any
> > > >> attachments to this message are intended for the exclusive
> use of
> > > >> the addressee(s) and may contain proprietary, confidential or
> > > >> privileged information. If you are not the intended recipient,
> > you
> > > >> should not disseminate, distribute or copy this e-mail. Please
> > > >> notify the sender immediately and destroy all copies of this
> > > message
> > > >> and any attachments.
> > > >>
> > > >> WARNING: Computer viruses can be transmitted via email. The
> > > >> recipient should check this email and any attachments for the
> > > >> presence of viruses. The company accepts no liability for any
> > > damage
> > > >> caused by any virus transmitted by this email.
> > > >>
> > > >> www.wipro.com
> > > >>
> > > >>
> > > >>
> > >
> >
> ___________________________________________________________________________
> > > >> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx
> > > >
> > > >> Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-
> dev
> > > >>            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> > > >>
> > > >>
> > > >>
> > > >> --
> > > >> Fight Internet Censorship! http://www.eff.org
> > > >>              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > >> http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon |
> > > >> +447549728105
> > > >> Please do not print this email unless it is absolutely
> necessary.
> > > >>
> > > >> The information contained in this electronic message and any
> > > >> attachments to this message are intended for the exclusive
> use of
> > > >> the addressee(s) and may contain proprietary, confidential or
> > > >> privileged information. If you are not the intended recipient,
> > you
> > > >> should not disseminate, distribute or copy this e-mail. Please
> > > >> notify the sender immediately and destroy all copies of this
> > > message
> > > >> and any attachments.
> > > >>
> > > >> WARNING: Computer viruses can be transmitted via email. The
> > > >> recipient should check this email and any attachments for the
> > > >> presence of viruses. The company accepts no liability for any
> > > damage
> > > >> caused by any virus transmitted by this email.
> > > >>
> > > >> www.wipro.com
> > > >>
> > > >>
> > >
> >
> ___________________________________________________________________________
> > > >> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx
> > > >
> > > >> Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > >> Unsubscribe: https://wireshark.org/mailman/options/wireshark-
> dev
> > > >>            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> > > >
> > > >
> > >
> >
> ___________________________________________________________________________
> > > > Sent via:    Wireshark-dev mailing list <wireshark-
> > > dev@xxxxxxxxxxxxx>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > > >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> > > >
> > > > Please do not print this email unless it is absolutely
> necessary.
> > > >
> > > > The information contained in this electronic message and any
> > > > attachments to this message are intended for the exclusive use
> of
> > > > the addressee(s) and may contain proprietary, confidential or
> > > > privileged information. If you are not the intended recipient,
> you
> > > > should not disseminate, distribute or copy this e-mail. Please
> > > > notify the sender immediately and destroy all copies of this
> > message
> > > > and any attachments.
> > > >
> > > > WARNING: Computer viruses can be transmitted via email. The
> > > > recipient should check this email and any attachments for the
> > > > presence of viruses. The company accepts no liability for any
> > damage
> > > > caused by any virus transmitted by this email.
> > > >
> > > > www.wipro.com
> > > >
> > >
> >
> ___________________________________________________________________________
> > > > Sent via:    Wireshark-dev mailing list <wireshark-
> > > dev@xxxxxxxxxxxxx>
> > > > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > > >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> > > >
> > >
> > >
> >
> ___________________________________________________________________________
> > > Sent via:    Wireshark-dev mailing list <wireshark-
> > dev@xxxxxxxxxxxxx>
> > > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> > >
> > >
> > >
> > > --
> > > Fight Internet Censorship! http://www.eff.org
> > >               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon |
> > > +447549728105
> > >
> >
> ___________________________________________________________________________
> > > Sent via:    Wireshark-dev mailing list <wireshark-
> > dev@xxxxxxxxxxxxx>
> > > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> > >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> >
> >
> ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-
> dev@xxxxxxxxxxxxx>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
> >
> >
> >
> > --
> > Fight Internet Censorship! http://www.eff.org
> >               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon |
> > +447549728105
> >
> ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-
> dev@xxxxxxxxxxxxx>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
>
> --
> Fight Internet Censorship! http://www.eff.org
>               ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon |
> +447549728105
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Fight Internet Censorship! http://www.eff.org
              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://i9.house404.co.uk/ | Twitter/FriendFeed/Skype: vmlemon | +447549728105