Wireshark-users: Re: [Wireshark-users] Sniffing Multiple Interfaces

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 25 Oct 2010 14:39:17 -0700
On Oct 23, 2010, at 1:04 AM, Will wrote:

> I would like to request a feature enhancement on Wireshark:  in 
> the Interfaces dialog, could you allow selection of multiple 
> interfaces, so that we can scan more than one at the same time, 
> inside a single viewing window?

Given that we now support capturing into a pcap-ng file, that's not impossible.

It would require either that

	1) multiple instances of dumpcap cooperatively write to a single capture file (probably not easy to do)

or

	2) multiple threads within dumpcap cooperatively write to a single capture file (probably easier than #1, but still involves work)

or

	3) dumpcap be able to have a run loop where it waits for packets to arrive from any of a number of interfaces and processes the packets from all of them (done differently on UN*X and Windows, and needs to deal with, for example, problems with select() on BPF devices on some versions of some OSes, including *all* current versions of Mac OS X - some problems might make it impossible on some platforms; single-threading it also might reduce its ability to process high traffic)

or

	4) multiple instances of dumpcap writing to multiple capture files, and Wireshark reading from all of those files and doing a merge.

My *guess* is that #4 would have the fewest problems.  None of them are likely to be a trivial change, however.

(The "any" device on Linux also lets you do that, but it's implemented in libpcap by not binding the capture socket to a particular interface; other capture mechanisms don't offer the choice of not being bound to a particular interface, so libpcap doesn't support the "any" device on other OSes.)