Wireshark · Wireshark-dev: [Wireshark-dev] Multiple interface capture device support in dumpcap

Wireshark-dev: [Wireshark-dev] Multiple interface capture device support in dumpcap

From: Stephen Donnelly <Stephen.Donnelly@xxxxxxxxxx>

Date: Wed, 6 Jun 2012 03:04:59 +0000

I've posted an 'experimental' patch/hack to dumpcap in Bug #7300.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300

The dumpcap implementation assumes that there is a one-to-one mapping between capture sources (pipe or pcap device) and physical interfaces, and so assigns one pcap-NG 'Interface Id' per source. This is fine for conventional capture sources, but does not support devices that represent more than one physical interface well.

The patch adds support for DLT_ERF captures via libpcap. Since a LINKTYPE_ERF represents up to 4 interfaces, I assign 3 additional sequential Interface Ids, which creates additional IDBs in the captured file.

It seems possible that a pipe data source with DLT_PPI or DLT_ERF could also represent more than one interface. Also in future libpcap may support some native form of multiple-interface capture, either with or without pcap-NG capture APIs?

I'm not suggesting patch this is the best solution, although it is functional. Any thoughts? Is it worth adding an explicit 'capture device to multi-interface' abstraction layer in dumpcap?

Stephen

Follow-Ups:
- Re: [Wireshark-dev] Multiple interface capture device support in dumpcap
  - From: Guy Harris

Prev by Date: Re: [Wireshark-dev] Lua: condition on protocol preference
Next by Date: Re: [Wireshark-dev] recent buildbot errors: I'm working on them ....
Previous by thread: Re: [Wireshark-dev] [Wireshark-commits] rev 41953: /trunk/epan/dissectors/ /trunk/epan/dissectors/: packet-ip.c packet-ip.h packet-ipv6.c
Next by thread: Re: [Wireshark-dev] Multiple interface capture device support in dumpcap
Index(es):
- Date
- Thread