Wireshark-dev: Re: [Wireshark-dev] Capturing on multiple interfaces [FEATURE REQUEST]

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Fri, 29 Feb 2008 01:31:44 -0800
Andreas Fink wrote:
Apparently its possible on some platforms to capture on all interfaces (tcpdump on linux does this). under MacOS X, however only the first interface is used. This means running tcpdump or dumpcap twice and merging the files later together if you want to capture dualhomed traffic (like SCTP).
Suggestion: fix dumpcap to accept something like -i en0 -i en1 or -i en0,en1. In the fist case it does take the last passed interface. 
Or maybe fix libpcap to take all interfaces on MacOS X if none is specified?
Linux supports opening a PF_PACKET socket and not binding it to a particular interface; that's how the "any" device is implemented.
Systems using BPF don't support opening a BPF device and not binding it to a particular device, which is why there's no "any" device on *BSD or OS X (or Solaris or HP-UX or Tru64 UNIX or Irix or Windows) - it's fairly simple to do on Linux, but much more complicated on other platforms.
An additional problem is that, on Linux, you can open a PF_PACKET socket as a SOCK_DGRAM socket, so that you get only the payload, not the link-layer header; libpcap does that for the "any" device, and then synthesizes a fake link-layer header for them. There's no equivalent in BPF, so that would either need pcap-NG format (to support multiple link-layer types in one capture), or perhaps DLT_PPI (again, to support multiple link-layer types in one capture), or code in libpcap to discard the link-layer headers and synthesize a link-layer header.
In the case where all the interfaces are supplying packets with the same link-layer header type, libpcap could, in principle, implement such a mechanism, at least when you're running in blocking mode, although it'd require that a pcap_t structure have multiple file descriptors, and that waiting for packets to arrive and reading them be done with a select() loop.
Probably the best way to do that would be in dumpcap; much of the pcap API (such as non-blocking mode and selecting on a descriptor) couldn't be made to work with more than one BPF device.
(In addition, note that "all interfaces" would mean "all interfaces present at the time you start the capture" unless you have the main loop also catch the arrival and departure of, for example, PPP interfaces that appear when you dial up or set up a VPN.)