ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 7300] New: patch: Add frame.interface support for pcapng L

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Mon, 28 May 2012 20:12:45 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300

           Summary: patch: Add frame.interface support for pcapng
                    LINKTYPE_ERF live capture (dumpcap)
           Product: Wireshark
           Version: SVN
          Platform: x86
        OS/Version: All
            Status: NEW
          Severity: Enhancement
          Priority: Low
         Component: Wireshark
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: stephen@xxxxxxxxxx


Stephen Donnelly <stephen@xxxxxxxxxx> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #8503|                            |review_for_checkin?
              Flags|                            |

Created attachment 8503
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8503
Patch adding frame.interface support when capturing in pcapng format with
LINKTYPE_ERF

Build Information:
wireshark 1.7.2 (SVN Rev 42814 from /trunk)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GTK+ 2.24.6, with Cairo 1.10.2, with Pango 1.29.3, with
GLib 2.30.0, with libpcap, with libz 1.2.3.4, with POSIX capabilities (Linux),
with SMI 0.4.8, with c-ares 1.7.4, with Lua 5.1, without Python, with GnuTLS
2.10.5, with Gcrypt 1.5.0, with MIT Kerberos, with GeoIP, with PortAudio <=
V18,
with AirPcap.

Running on Linux 3.0.0-19-generic, with locale en_NZ.UTF-8, with libpcap
version
1.3.0-PRE-GIT_2011_08_23, with libz 1.2.3.4, GnuTLS 2.10.5, Gcrypt 1.5.0,
without AirPcap.

Built using gcc 4.6.1.

--
This is an experimental patch to add support for multiple ERF interfaces when
performing live capture from one or more DAG cards in dumpcap in pcapng format
via libpcap.

Endace DAG cards can support up to 4 physical interfaces. The native capture
format ERF marks each record with a pseudo header indicating the capture
interface.

When capturing using libpcap, the DLT/LINKTYPE_ERF format includes the ERF
pseudo header in the pcap payload. This can later be extracted to indicate the
capture interface to Wireshark.

The dumpcap implementation assumes that there is a one-to-one mapping between
capture sources (pipe or pcap device) and physical itnerfaces, and assigns one
pcap-NG Interface Id per source. Since a LINKTYPE_ERF represents up to 4
interfaces, we assign 3 additional sequential Interface Ids, which creates
additional IDBs in the captured file.

This implementation is functional but rough. I would not necessarily expect it
to be committed as-is, but rather to start a discussion on how dumpcap could
best handle one-to-many mappings of sources to interfaces.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube