Multiple interface capture device support in dumpcap

[Stephen Donnelly <Stephen.Donnelly () endace com>]

I've posted an 'experimental' patch/hack to dumpcap in Bug #7300.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300

The dumpcap implementation assumes that there is a one-to-one mapping between capture sources (pipe or pcap device) and 
physical interfaces, and so assigns one pcap-NG 'Interface Id' per source. This is fine for conventional capture 
sources, but does not support devices that represent more than one physical interface well.

The patch adds support for DLT_ERF captures via libpcap. Since a LINKTYPE_ERF represents up to 4 interfaces, I assign 3 
additional sequential Interface Ids, which creates additional IDBs in the captured file.

It seems possible that a pipe data source with DLT_PPI or DLT_ERF could also represent more than one interface. Also in 
future libpcap may support some native form of multiple-interface capture, either with or without pcap-NG capture APIs?

I'm not suggesting patch this is the best solution, although it is functional. Any thoughts? Is it worth adding an 
explicit 'capture device to multi-interface' abstraction layer in dumpcap?

Stephen

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe