Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: [Wireshark-dev] Multiple interface capture device support in dumpcap

From: Stephen Donnelly <Stephen.Donnelly@xxxxxxxxxx>
Date: Wed, 6 Jun 2012 03:04:59 +0000
I've posted an 'experimental' patch/hack to dumpcap in Bug #7300.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300

The dumpcap implementation assumes that there is a one-to-one mapping between capture sources (pipe or pcap device) and physical interfaces, and so assigns one pcap-NG 'Interface Id' per source. This is fine for conventional capture sources, but does not support devices that represent more than one physical interface well.

The patch adds support for DLT_ERF captures via libpcap. Since a LINKTYPE_ERF represents up to 4 interfaces, I assign 3 additional sequential Interface Ids, which creates additional IDBs in the captured file.

It seems possible that a pipe data source with DLT_PPI or DLT_ERF could also represent more than one interface. Also in future libpcap may support some native form of multiple-interface capture, either with or without pcap-NG capture APIs?

I'm not suggesting patch this is the best solution, although it is functional. Any thoughts? Is it worth adding an explicit 'capture device to multi-interface' abstraction layer in dumpcap?

Stephen