Re: Question about capturing from multiple interfaces that have the same MAC Address

["Herb Falk <herb () sisconet com>" <Herb () sisconet com>]

See below:







Herbert Falk

Solutions Architect

SISCO, INC.

6605 19 ½ Mile Rd.

Sterling Heights, MI 48314

(586) 254-0020 x-105







"In matters of style, swim with the current;   in matters of principle, stand like a rock." [Thomas Jefferson]





NOTICE: This communication may contain privileged or other confidential information. If you are not the intended 
recipient, or believe that you have  received this communication in error, please do not print, copy, retransmit,  
disseminate, or otherwise use the information. Also,  please indicate to the sender that you have received this 
communication in error, and delete the copy you received. Thank you.



-----Original Message-----
From: wireshark-dev-bounces () wireshark org [mailto:wireshark-dev-bounces () wireshark org] On Behalf Of Guy Harris
Sent: Monday, September 15, 2014 2:14 PM
To: Developer support list for Wireshark
Subject: Re: [Wireshark-dev] Question about capturing from multiple interfaces that have the same MAC Address





On Sep 15, 2014, at 10:44 AM, "Herb Falk <herb () sisconet com<mailto:herb () sisconet com>>" <Herb () sisconet 
com<mailto:Herb () sisconet com>> wrote:



> There appears to be an issue with Wireshark capturing information from interfaces that have the same MAC Address.



So what is the issue?  Does capture fail to start?  If so, what error is reported?  Do some packets not get captured?  
Do no packets get captured? On what operating system is this?



[Herb]:  If Wireshark is left in the Interface/Capture display (not even doing any captures) the system eventually 
crashes (takes about 2-3 minutes).  If I try to enable captures on interfaces with the same MAC Addresses, Wireshark 
stops responding and the system crashes.  If I select "Options" from the Interface/capture display and have multiple 
interfaces selected, Wireshark becomes non-responsive and the system eventually crashes.  If you select one interface, 
that has a duplicate MAC, it still crashes eventually.



> Does somebody know if this is an issue, or where the code for interface/MAC address binding is?



What do you mean by "binding"?  Assigning a MAC address to an interface?  Deciding, if both interfaces receive a copy 
of a given packet, which one gets inserted into the networking code and passed up to libpcap/WinPcap and thus to 
Wireshark?  In both of those cases, the code is in your OS, and where it is in the OS depends on what OS it is.



[Herb]: There is a little bit more going on.  Consider 4 NICs (a,b,c,d)  they are teamed into 2 pairs (t1 and t2). a & 
b have the same MAC as does t1. c and d have the same MAC as does t2.  There is another Winpcap application that runs 
on the box, and it has no problem with the configuration.  My "binding" question was if Wireshark uses the interface to 
lookup the MAC and there are multiple NICs with the same MAC, this could be causing a loop/issue inside of Wireshark.  
Don't know, but would like a pointer to the code so I could step through it.  Maybe binding was the incorrect word.



___________________________________________________________________________

Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org<mailto:wireshark-dev () wireshark org>>

Archives:    http://www.wireshark.org/lists/wireshark-dev

Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev

             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe