Wireshark-dev: Re: [Wireshark-dev] Problems with capturing on multiple interfaces
From: Chris Maynard <[email protected]>
Date: Fri, 20 May 2011 14:25:38 +0000 (UTC)
Michael Tüxen <[email protected]> writes:

> You actually need:
> -n to use pcapng
> and
> -t to use threads.
> It is simple to add -n and -t if you are specifying more than one interface
> (actually this is what tshark and wireshark do). I wanted to be explicit
> since I consider it currently an experimental feature. But, if the groups
> prefers, we can add -n and -t if there is more than one interface specified.

To me, if it doesn't work without -n and -t, then it makes it that much more
user-friendly to automatically use pcapng and threads whenever multiple
interfaces are specified.

I understand this is still a work in progress, but something else I was thinking
about was the "-i any" interface.  What will happen if someone specifies
something like, "-i eth0 -i any -i lo" or variations thereof?  I assume it would
be treated as "-i any" only?

And speaking of "-i any", obviously on Windows, that isn't supported ... but a
neat thing would be if it could be by internally scanning all interfaces and
treating it as if "-i 1 -i 2 ... -i n" were specified.

And while I'm at it ... another feature that I think would be nice to have would
be to be able to specify capturing on an interface that doesn't yet exist, such
as ppp0.  For my USB/PPP capturing, currently to get a capture of all traffic
over that interface, I either have to use usbmon or ppp's record option to
generate a pppdump file.  (OK, this last one isn't really specific to capturing
on multiple interfaces, but it's related to capturing so ...)

> Thanks for the feedback.
You're welcome ... thanks for the feature!
- Chris