Wireshark-dev: Re: [Wireshark-dev] Question about capturing from multiple interfaces that have

From: "Herb Falk <herb@xxxxxxxxxxxx>" <Herb@xxxxxxxxxxxx>
Date: Mon, 15 Sep 2014 18:55:16 +0000

See below:

 

 

 

Herbert Falk

Solutions Architect

SISCO, INC.

6605 19 ½ Mile Rd.

Sterling Heights, MI 48314

(586) 254-0020 x-105

 

 

                                                                              

"In matters of style, swim with the current;   in matters of principle, stand like a rock." [Thomas Jefferson]

 

 

NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have  received this communication in error, please do not print, copy, retransmit,  disseminate, or otherwise use the information. Also,  please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you.

 

-----Original Message-----
From: wireshark-dev-bounces@xxxxxxxxxxxxx [mailto:wireshark-dev-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Monday, September 15, 2014 2:14 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Question about capturing from multiple interfaces that have the same MAC Address

 

 

On Sep 15, 2014, at 10:44 AM, "Herb Falk <herb@xxxxxxxxxxxx>" <Herb@xxxxxxxxxxxx> wrote:

 

> There appears to be an issue with Wireshark capturing information from interfaces that have the same MAC Address.

 

So what is the issue?  Does capture fail to start?  If so, what error is reported?  Do some packets not get captured?  Do no packets get captured? On what operating system is this?

 

[Herb]:  If Wireshark is left in the Interface/Capture display (not even doing any captures) the system eventually crashes (takes about 2-3 minutes).  If I try to enable captures on interfaces with the same MAC Addresses, Wireshark stops responding and the system crashes.  If I select “Options” from the Interface/capture display and have multiple interfaces selected, Wireshark becomes non-responsive and the system eventually crashes.  If you select one interface, that has a duplicate MAC, it still crashes eventually.

                                                                                                                                                                                          

> Does somebody know if this is an issue, or where the code for interface/MAC address binding is?

 

What do you mean by "binding"?  Assigning a MAC address to an interface?  Deciding, if both interfaces receive a copy of a given packet, which one gets inserted into the networking code and passed up to libpcap/WinPcap and thus to Wireshark?  In both of those cases, the code is in your OS, and where it is in the OS depends on what OS it is.

 

[Herb]: There is a little bit more going on.  Consider 4 NICs (a,b,c,d)  they are teamed into 2 pairs (t1 and t2). a & b have the same MAC as does t1. c and d have the same MAC as does t2.  There is another Winpcap application that runs on the box, and it has no problem with the configuration.  My “binding” question was if Wireshark uses the interface to lookup the MAC and there are multiple NICs with the same MAC, this could be causing a loop/issue inside of Wireshark.  Don’t know, but would like a pointer to the code so I could step through it.  Maybe binding was the incorrect word.

 

___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>

Archives:    http://www.wireshark.org/lists/wireshark-dev

Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe