Wireshark-dev: Re: [Wireshark-dev] pcapng / interface names / OPT_IDB_NAME

From: Harald Welte <laforge@xxxxxxxxxxxx>
Date: Sat, 24 Oct 2020 18:59:51 +0200
Hi Chris,

thanks for your input.

On Fri, Oct 23, 2020 at 04:13:17PM +0000, Maynard, Chris via Wireshark-dev wrote:
> > I'm currently facing a problem where I need to create pcap files of about
> > 26 network devices in parallel.  24 of those are hdlcX devices (by Linux kernel
> > hdlc_fr), while two are Ethernet devices.  So there are different link types, but I
> > doubt this matters for the remainder of the discussion.
> 
> It matters if you intend to merge different capture files together with different DLT's, in which case you'll most definitely want to use the pcapng format to retain the different interfaces and not the pcap format, which supports only a single encapsulation per file.

I was imprecise. In the above sentence, replace "I need to create pcap
files" with "I need to create packet captures in whatever format
supported by wireshark".  So pcap-ng is perfectly fine here.

> > The resulting capture file should of course indicate on which particular
> > interface a given packet was sent or received.
> 
> If you use pcapng, it will.

great.

> > Furthermore, when starting a cooked Linux capture on the Linux 'any' device, it
> > also appears wireshark is not displaying the information about which netdevice
> > the message was captured.
> 
> Instead of capturing on the "any" interface, you can specify multiple
> occurrences of the "-i" option for each interface you intend to
> capture from.  Yes, this makes the command-line longer and initially
> more tedious to construct, especially if you have a large number of
> interfaces.

Ok, will try that, thanks.  Didn't know it was possible, to be honest.

> > As far as I know, on AF_PACKET sockets one can do recvmsg() and will then get
> > a sockaddr_ll structure alongside the actual packet, which contains the ifindex
> > of the underlying network deivce.  Together with the usual sockopt or netlink
> > based method that can be trnaslated to a device name.
> >
> > Am I missing something?  Is there a specific reason why this information is not
> > obtained/displayed or written when writing an output file, even in pcap-ng
> > mode?
> 
> It should be written, just don't capture on the "any" interface.  

Thanks, I hear you.  However:
I'm wondering why that is.  Is there any fundamental reason for it?  As
I stated above, an AF_PACKET socket does not have to be bound to a
specific interface (see "man 7 packet") and when recvmsg() is used, you
will get the interface index of the interface on a per-packet basis.

Am I misunderstanding the capabilities of AF_PACKET sockets?  Or is this
simply something wireshark never implemented, but it could very well be
added.  In the latter case, I might be tempted to try cooking up a
patch.

-- 
- Harald Welte <laforge@xxxxxxxxxxxx>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)