Wireshark-dev: Re: [Wireshark-dev] pcapng / interface names / OPT_IDB_NAME

From: "Maynard, Chris" <Christopher.Maynard@xxxxxxx>
Date: Fri, 23 Oct 2020 16:13:17 +0000
> -----Original Message-----
> From: Wireshark-dev <wireshark-dev-bounces@xxxxxxxxxxxxx> On Behalf Of
> Harald Welte
> Sent: Saturday, October 17, 2020 10:26 AM
> To: wireshark-dev@xxxxxxxxxxxxx
> Subject: [Wireshark-dev] pcapng / interface names / OPT_IDB_NAME
>
> Dear wireshark developers,
>
> I'm currently facing a problem where I need to create pcap files of about
> 26 network devices in parallel.  24 of those are hdlcX devices (by Linux kernel
> hdlc_fr), while two are Ethernet devices.  So there are different link types, but I
> doubt this matters for the remainder of the discussion.

It matters if you intend to merge different capture files together with different DLT's, in which case you'll most definitely want to use the pcapng format to retain the different interfaces and not the pcap format, which supports only a single encapsulation per file.

> The resulting capture file should of course indicate on which particular
> interface a given packet was sent or received.

If you use pcapng, it will.

> I discovered that pcap-ng has the if_name field as part of the Interface
> Description Block, so that during the capture process, one can store the
> InterfaceID to interface name mapping, and then every packet refers to the
> InterfaceID.
>
> Looking at the wireshark source, wiretap seems to translate that to
> OPT_IDB_NAME and looking further at the code it appears that this might be
> displayed some way.
>
> However, I don't seem to be able to find any code for actually ever writing this
> file when generating capture files.
>
> Furthermore, when starting a cooked Linux capture on the Linux 'any' device, it
> also appears wireshark is not displaying the information about which netdevice
> the message was captured.

Instead of capturing on the "any" interface, you can specify multiple occurrences of the "-i" option for each interface you intend to capture from.  Yes, this makes the command-line longer and initially more tedious to construct, especially if you have a large number of interfaces.

> As far as I know, on AF_PACKET sockets one can do recvmsg() and will then get
> a sockaddr_ll structure alongside the actual packet, which contains the ifindex
> of the underlying network deivce.  Together with the usual sockopt or netlink
> based method that can be trnaslated to a device name.
>
> Am I missing something?  Is there a specific reason why this information is not
> obtained/displayed or written when writing an output file, even in pcap-ng
> mode?

It should be written, just don't capture on the "any" interface.  When working with a capture file, you'll see the information in the frame.interface_id, frame.interface_name, and frame.interface_description fields.  You can also "View -> Reload as File Format/Capture" and directly view the pcapng file's "Interface Description Block(s)", which is where the frame fields just mentioned get their data from.

- Chris











CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information. This message is intended solely for the use of the addressee. If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.