Wireshark-users: Re: [Wireshark-users] capturing packets on two interfaces: eth0 and lo
From: esolve esolve <esolvepolito@xxxxxxxxx>
Date: Wed, 31 Oct 2012 17:46:07 +0100
I'm wondering whether running two instances will lead to capturing problems, like packet losses, out of order, or even packet dilivery problems, as in my case, these packets will sequentially pass eth0 and lo

2012/10/31 Guy Harris <guy@xxxxxxxxxxxx>

On Oct 31, 2012, at 7:18 AM, esolve esolve <esolvepolito@xxxxxxxxx> wrote:

> I'm capturing packets related to a  program which uses a local socks proxy, the packets on eth0 are encrypted while the packets on lo are corresponding decrypted content.
>
> I'm wondering whether it is possible to simultaneously capturing packets on two interfaces: eth0 and lo, and output the packets into two different files?

Yes, by running two instances of tcpdump, dumpcap, TShark, or Wireshark.

It's also possible to simultaneously capture on two interfaces and output the packets into *one* file with a single instance of dumpcap, TShark, or Wireshark, but not tcpdump (which can't write pcap-ng files).

It's not possible to simultaneously capture on two interfaces and output the packets into separate files with one instance of any of the programs listed above.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe