Re: Problems with capturing on multiple interfaces

[Michael Tüxen <Michael.Tuexen () lurchi franken de>]

On May 20, 2011, at 4:25 PM, Chris Maynard wrote:

> Michael Tüxen <Michael.Tuexen@...> writes:
>
> > You actually need:
> > -n to use pcapng
> > and
> > -t to use threads.
> >
> > It is simple to add -n and -t if you are specifying more than one interface
> > (actually this is what tshark and wireshark do). I wanted to be explicit
> > since I consider it currently an experimental feature. But, if the groups
> > prefers, we can add -n and -t if there is more than one interface specified.
>
> To me, if it doesn't work without -n and -t, then it makes it that much more
> user-friendly to automatically use pcapng and threads whenever multiple
> interfaces are specified.
OK, it looks like some others want this, too. I'll implement it.
> I understand this is still a work in progress, but something else I was thinking
> about was the "-i any" interface.  What will happen if someone specifies
> something like, "-i eth0 -i any -i lo" or variations thereof?  I assume it would
> be treated as "-i any" only?
No. dumpcap will do what it is told to do: capture on three devices. So you
will see packets multiple times.

You can also do 
dumpcap -i lo0 -i lo0
which will show every packet twice (not sure if it makes sense), but you could do
dumpcap -i lo0 -f udp -i lo0 -f sctp
which will separate packets based on the transport protocol.

The general principle is, that dumpcap will not do much magic with what
it is told to do...
> And speaking of "-i any", obviously on Windows, that isn't supported ... but a
> neat thing would be if it could be by internally scanning all interfaces and
> treating it as if "-i 1 -i 2 ... -i n" were specified.
I think dumpcap should use the any interface (if available), but using a 
different name like -i all (or something similar) would be a good addition.
I'll put it on the ToDo list, but with lower priority. First I want to
integrate the multiple interface stuff in Wireshark...
> And while I'm at it ... another feature that I think would be nice to have would
> be to be able to specify capturing on an interface that doesn't yet exist, such
> as ppp0.  For my USB/PPP capturing, currently to get a capture of all traffic
> over that interface, I either have to use usbmon or ppp's record option to
> generate a pppdump file.  (OK, this last one isn't really specific to capturing
> on multiple interfaces, but it's related to capturing so ...)
Hmm. This brings up the question what -i all actually means:
(a) All interfaces at the time the dumpcap was called
(b) All interfaces at the current time.

I was thinking about (a), but one could do (b). I do know how to get the
information of added interfaces on (some) Unix systems, but I have no idea
how to do that on Windows. But someone will know this.
There is one drawback: Currently dumpcap opens all pcap devices and then
gives up the privileges to do so. If we want dumpcap to open the pcap devices
when interfaces come up, we can't give up the privileges. Hmm. So at least
we would be another command line switch to modify the semantic of -i all
from (a) to (b).

Best regards
Michael
> > Thanks for the feedback.
> You're welcome ... thanks for the feature!
> - Chris
>
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe