Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] Multiple interface capture device support in dumpcap

From: Stephen Donnelly <stephen.donnelly@xxxxxxxxxx>
Date: Thu, 7 Jun 2012 10:49:34 +1200
On 06/06/12 22:03, Guy Harris wrote:
On Jun 5, 2012, at 8:04 PM, Stephen Donnelly wrote:
I've posted an 'experimental' patch/hack to dumpcap in Bug #7300.

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300

The dumpcap implementation assumes that there is a one-to-one mapping between capture sources (pipe or pcap device) and physical interfaces, and so assigns one pcap-NG 'Interface Id' per source. This is fine for conventional capture sources, but does not support devices that represent more than one physical interface well.
...such as the Linux "any" device.

Good point, this is another case. Could PPI records come from multiple physical interfaces as well?

Does the linux 'any' device include a pseudo-header to indicate which interface each frame was captured on?

Is there a way to determine (before capture starts) how many interfaces will be captured from, or any details about them? This may require a new libpcap API.

Stephen.
--