Ethereal-dev: Re: [Ethereal-dev] Capturing from multiple interfaces, and why we need this.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 1 Feb 2004 12:00:30 -0800
On Sun, Feb 01, 2004 at 05:56:36PM +0100, Ulf Lamping wrote:
> I was talking about to enable Ethereal to be able to capture data from 
> more than one interface.
> 
> When I remember it correctly, it's currently possible in libpcap/winpcap 
> to open more than one interface for capturing,
> that's done when multiple instances of Ethereal capturing the same time.

Yes, that's true, but:

> The only things left to do would be to handle the requested channels in 
> parallel and change the GUI part corresponding to this.
> This task might be somewhat easy to achievs, unless I miss something 
> important out.

...you have, in fact, missed something important.

In theory, on UNIX, a "select()" or "poll()" can be done on the
descriptor you get from "pcap_fileno()" and, as most if not all GUI
toolkits for UNIXes allow descriptors of that sort to be added to the
list of event sources checked in the main GUI event loop, one could add
one or more such pcap streams to the main GUI loop.

On Windows, one could add a HANDLE that supports
"WaitForMultipleEvents()", such as the one returned by
"pcap_getevent()", to the main loop either of the native Win32 event
loop or, I think, the GTK+-for-Win32 event loop.

However:

	1) you can't always get the behavior you want from "select()" or
	   "poll()" on BPF devices - only some more recent versions of
	   some BSDs support it correctly - and, although there's a
	   workaround, that workaround doesn't, at least from looking at
	   the code, work on FreeBSD 4.3 or 4.4;

	2) currently, "select()" and "poll()" don't work at all on DAG
	   devices;

	3) as I remember, in WinPcap prior to 3.0, "pcap_getevent()"
	   didn't return a valid handle on Windows NT/2K/XP/etc. - I
	   think that might be fixed in 3.0, but I haven't tested it.

Also, libpcap format currently can't handle captures with more than one
link-layer type in them; there are plans to come up with a
next-generation libpcap format that will, among other things, be able to
handle that.  As such, Ethereal might have to handle a
multiple-interface capture with multiple capture files.