On Sat, Oct 28, 2000 at 11:28:24PM +0300, Paul Ionescu wrote:
> Other captures support multiple interfaces, but ethereal ignore the
> information about the interface (this is the case of ascend, toshiba,
> ngsniffer, netxray, iptrace and others).
Where in the Sniffer and NetXRay file or record header is there an
indication of the interface on which a packet was captured? If we don't
know that, Ethereal has no choice but to ignore it, as it doesn't know
where to get it or how to interpret it.
> Usualy is not so interesting to
> have the interface on which the packet is captured, but there are some
> special cases when it makes difference, like ISDN PRI/BRI, because in
> this case is hard to know on which B channel the packet is.
That particular case is obviously ISDN-specific, so I don't see a
problem with putting it in a specific ISDN pseudo-header. For the
Ascend captures, the interfaces are the Ethernet and ISDN interface; I'd
think of the interface as being the ISDN device, which has 3 channels
(or more, for PRI), so I wouldn't think of the channels as separate
interfaces.
> Also the modified pcap from redhat stores information about interface
> and direction, and can capture from more than one interface.
Unfortunately, all it stores is the internal interface index; Ethereal
could have a pile of Linux-specific code to translate that to something
a human can actually use, i.e. an interface name, for live captures, but
there's not much it can do about capture files other than assume -
perhaps incorrectly - that the capture was done on the same machine and
that the interfaces have the same indices that they did at the time the
capture was made.