tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Re: tcpdump and pcap on multiple interfaces

From: Guy Harris <guy () alum mit edu>
Date: Tue, 9 Sep 2008 19:21:05 -0700

On Sep 9, 2008, at 7:02 PM, lei wei wrote:
I'm trying to capture packets from two network interfaces on FreeBSD using 
pcap. From what I read about,
a "-i any" can be used on Linux to capture from all interfaces. But FreeBSD 
doesnt seem to recognize it.
BPF devices, unlike Linux PF_PACKET sockets, requires that you bind the BPF device to a network interface, in which case it only receives packets from that interface. Thus, the mechanism that the "any" device uses on Linux is not available on OSes using BPF, such as FreeBSD (and NetBSD and OpenBSD and DragonFly BSD and Mac OS X and AIX).
(In addition, unlike Linux PF_PACKET sockets, BPF devices don't have a way to supply "cooked" packets without link-layer headers, so, even if you *could* have an unbound BPF device, there would have to be changes made to BPF to handle capturing from multiple interfaces if they don't all have the same link-layer header type.)
I wonder if there's a way to capture on multiple interfaces by something 
like link aggregation
except launching several capturing processes and merge&sort?
You can capture from multiple interfaces by opening multiple pcap_t's, one for each interface, and having the main loop of your capture program use select(), poll(), or kqueues to wait for packets to arrive from any of the interfaces (use pcap_get_selectable_fd() to get an FD on which to select from the pcap_t - if it fails, you can't use select()/poll()/kqueues, but, for FreeBSD, it should only fail on FreeBSD 4.3 and 4.4, where there are some BPF bugs that prevent select() and poll() from working).
If a given FD is readable, find the corresponding pcap_t, and call pcap_dispatch() on it to process the packets. Note that, while a single call to pcap_dispatch() will deliver packets in time order (as far as I know - this isn't Linux, so at least it's not *known* to deliver them out of order :-)), but you'll have to merge the packets from different interfaces yourself.
(Also, if you want your program to work on OSes other than sufficiently recent versions of *BSD:
1) sufficiently old versions of *BSD don't handle the BPF timeout correctly for select()/poll() - that might not be an issue, but...
2) *all* versions of Mac OS X don't handle the BPF timeout correctly for select();
3) Mac OS X 10.4 and later don't support poll() or kqueues on any character special files, including BPF devices.) 
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: