Wireshark-users: Re: [Wireshark-users] capturing packets on two interfaces: eth0 and lo

Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 31 Oct 2012 10:08:21 -0700
On Oct 31, 2012, at 9:46 AM, esolve esolve <esolvepolito@xxxxxxxxx> wrote:

> I'm wondering whether running two instances will lead to capturing problems, like packet losses,

On a multi-core machine, two instances may well lose *fewer* packets, as the two instances could run on different cores.  On a single-core machine, whether you'll lose fewer or more packets (or the same number of packets, or no packets) depends on whether the overhead of switching tasks is a significant burden.

> out of order,

As the packets are going to separate files, presumably "out of order" refers to getting eth0 packets out of order relative to other eth0 packets or lo packets out of order relative to other lo packets.  The packets will be time stamped and delivered to separate PF_PACKET sockets in the same fashion regardless of whether you're running one or two instances, so that won't matter.

> or even packet dilivery problems,

PF_PACKET sockets are passive taps, so they won't affect delivery of packets to the intended recipient - and, again, the PF_PACKET sockets will work the same regardless of whether there's one process or two separate processes reading from them.

In any case, as noted, you don't have the option to use a single instance writing to two separate files with any of Wireshark's programs or with tcpdump.