On 29.02.2008, at 10:31, Guy Harris wrote: Andreas Fink wrote:
Apparently its possible on some platforms to capture on all interfaces
(tcpdump on linux does this).
under MacOS X, however only the first interface is used. This means
running tcpdump or dumpcap twice and merging the files later together if
you want to capture dualhomed traffic (like SCTP).
Suggestion: fix dumpcap to accept something like -i en0 -i en1 or -i
en0,en1. In the fist case it does take the last passed interface.
Or maybe fix libpcap to take all interfaces on MacOS X if none is specified?
Linux supports opening a PF_PACKET socket and not binding it to a
particular interface; that's how the "any" device is implemented.
Systems using BPF don't support opening a BPF device and not binding it
to a particular device, which is why there's no "any" device on *BSD or
OS X (or Solaris or HP-UX or Tru64 UNIX or Irix or Windows) - it's
fairly simple to do on Linux, but much more complicated on other platforms.
Hmm. how about creating a virtual BPF driver in the kernel offering all traffic as alternative way? Not that i'm saying thats easy to do.
I'll check the source of dumpcap to see if I find a way of doing this because in protocols like SCTP in telco environment, multihoming is standard. So you either debug in single link setup (bringing down redundancy) or capturing twice and merge together. Both result in lots of "hand code". But from what I've seen so far it can be tricky.
Andreas Fink
Fink Consulting GmbH Global Networks Schweiz AG BebbiCell AG
--------------------------------------------------------------- Tel: +41-61-6666330 Fax: +41-61-6666331 Mobile: +41-79-2457333 Address: Clarastrasse 3, 4058 Basel, Switzerland --------------------------------------------------------------- ICQ: 8239353 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink Yahoo: finkconsulting SMS: +41792457333
|
