Wireshark-bugs: [Wireshark-bugs] [Bug 13096] New: Allow capture of iptap and pktap pseudo-interf

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Fri, 04 Nov 2016 21:41:53 +0000
Bug ID 13096
Summary Allow capture of iptap and pktap pseudo-interfaces on Mac OS
Product Wireshark
Version 2.0.3
Hardware x86
OS OS X 10.10
Status UNCONFIRMED
Severity Enhancement
Priority Low
Component Qt UI
Assignee [email protected]
Reporter [email protected] 

Build Information:
Wireshark 2.0.3 (v2.0.3-0-geed34f0 from master-2.0)

Copyright 1998-2016 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with libpcap, without POSIX capabilities, with
libz 1.2.5, with GLib 2.36.0, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.2,
with GnuTLS 2.12.19, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with
QtMultimedia, without AirPcap.

Running on Mac OS X 10.10.5, build 14F1912 (Darwin 14.5.0), with locale C, with
libpcap version 1.5.3 - Apple version 47, with libz 1.2.5, with GnuTLS 2.12.19,
with Gcrypt 1.5.0.
Intel(R) Core(TM) i7-4870HQ CPU @ 2.50GHz (with SSE4.2)

Built using llvm-gcc 4.2.1 (Based on Apple Inc. build 5658) (LLVM build
2336.9.00).
--
On MacOS, there exist at least two pseudointerfaces, "iptap" and "pktap", which
are somewhat documented in the tcpdump man page:

> A pktap pseudo interface provides for packet metadata using the default PKTAP data link type and files are written in the Pcap-ng file format.  The RAW data link type must be used to force  to  use  the legacy pcap-savefile(5) file format with a ptkap pseudo interface.  Note that captures on a ptkap pseudo interface will not be done in promiscuous mode.
> 
> An  interface argument of "iptap" can be used to capture packets from at the IP layer.  This capture packets as they are passed to the input and output routines of the IPv4 and IPv6 protocol handlers of the networking stack.  Note that captures will not be done in promiscuous mode.

I have found that "iptap" is the only way to capture traffic inside VPN
tunnels.  (The "utun" interface doesn't seem to allow capturing from any
utility I've tried, including tcpdump and Wireshark.)

As noted in #11659, Wireshark can be "tricked" into allowing captures on these
interfaces by manually starting a tcpdump, which then allows access to the
pseudointerface from the Wireshark GUI, but it would be nice if the user didn't
have to know this trick.

You are receiving this mail because:
  • You are watching all bug changes.