Wireshark-users: [Wireshark-users] "Combine" two interfaces in wireshark?
From: "Panagiotis Georgopoulos" <panos@xxxxxxxxxxxxxxxx>
Date: Mon, 17 May 2010 17:11:14 +0100

Hello all,

 

                I have very recently had to uninstall madwifi drivers (ath_pci) and use ath5k instead for my wireless card in ubuntu. However, I’ve noticed that it presents two interfaces in ifconfig and Wireshark’s list of interface for my card, ie. wlan1 and mon.wlan1.

 

                The first time I’ve tried to capture traffic on wlan1 using Wireshark, I’ve noticed that I had packets missing for a certain communication among nodes and then I realized that if I opened another instance of Wireshark and capture mon.wlan1 I was able to see the “missing” packets there. It seems that one interface captures all the incoming traffic and the other all the outgoing.

 

                However, this is very very annoying when trying to debug things and see the time difference between incoming and outgoing packets and of course not being able to see the exchange of packets in one instance of Wireshark (as a nice list) it messes things up.

 

                All this, lead us to the following question. Is Wireshark able to combine wlan1 and mon.wlan1 which in fact refer to one interface? Or I am able to create a pseudo-device as the “any” option in Wireshark to combine these two?

 

                Thanks very much in advance,

                Panos

 

Ps. thanks to all who replied during the weekend on my filter out question, it helped greatly!