Wireshark-dev: Re: [Wireshark-dev] Capturing on multiple interfaces [FEATURE REQUEST]
From: Guy Harris <[email protected]>
Date: Fri, 29 Feb 2008 01:31:44 -0800
Andreas Fink wrote:
Apparently its possible on some platforms to capture on all interfaces (tcpdump on linux does this). under MacOS X, however only the first interface is used. This means running tcpdump or dumpcap twice and merging the files later together if you want to capture dualhomed traffic (like SCTP).
Suggestion: fix dumpcap to accept  something like  -i en0 -i en1 or   -i 
en0,en1. In the fist case it does take the last passed interface.
Or maybe fix libpcap to take all interfaces on MacOS X if none is specified?
Linux supports opening a PF_PACKET socket and not binding it to a 
particular interface; that's how the "any" device is implemented.
Systems using BPF don't support opening a BPF device and not binding it 
to a particular device, which is why there's no "any" device on *BSD or 
OS X (or Solaris or HP-UX or Tru64 UNIX or Irix or Windows) - it's 
fairly simple to do on Linux, but much more complicated on other platforms.
An additional problem is that, on Linux, you can open a PF_PACKET socket 
as a SOCK_DGRAM socket, so that you get only the payload, not the 
link-layer header; libpcap does that for the "any" device, and then 
synthesizes a fake link-layer header for them.  There's no equivalent in 
BPF, so that would either need pcap-NG format (to support multiple 
link-layer types in one capture), or perhaps DLT_PPI (again, to support 
multiple link-layer types in one capture), or code in libpcap to discard 
the link-layer headers and synthesize a link-layer header.
In the case where all the interfaces are supplying packets with the same 
link-layer header type, libpcap could, in principle, implement such a 
mechanism, at least when you're running in blocking mode, although it'd 
require that a pcap_t structure have multiple file descriptors, and that 
waiting for packets to arrive and reading them be done with a select() loop.
Probably the best way to do that would be in dumpcap; much of the pcap 
API (such as non-blocking mode and selecting on a descriptor) couldn't 
be made to work with more than one BPF device.
(In addition, note that "all interfaces" would mean "all interfaces 
present at the time you start the capture" unless you have the main loop 
also catch the arrival and departure of, for example, PPP interfaces 
that appear when you dial up or set up a VPN.)