Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture

From: Tamás Varga <Tamas.Varga@xxxxxxxxxxxx>
Date: Wed, 27 Jun 2012 10:59:06 +0200
Thanks Guy the extensive answer! My question was targeting exactly this subject, since I was not aware of the "frame.interface_id" field. /Tamas

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Wednesday, June 27, 2012 09:30
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture


On Jun 27, 2012, at 12:13 AM, Tamás Varga wrote:

> Hi Guy, is this also means that there is no way today to display or 
> filter packets based on the interface they have been captured? /Tamas

I'm not sure what you're asking, but if you mean "does this also mean that you can't construct a display filter that matches only packets from some particular interface?", the answer is "no, it doesn't".  For pcap-ng capture files (which are the default when capturing), you can filter on the "frame.interface_id" field; its value is the numerical interface ID in the capture.  See the Statistics -> Summary window for a list of all the interfaces; the first one has an interface ID of 0, the second one has an interface ID of 1, etc..  You could also see it in the "Frame" section of the packet detail pane.

We should, if the interface has a name, display it in the Frame section, and support filtering on it as well.  (If you were to merge two captures, both of which had an interface named, for example, "eth0", but those were "eth0" interfaces on different machines, you wouldn't be able to distinguish between them by filtering on the interface name, but that's life.)

A *capture* filter specifying an interface would make sense only on the Linux "any" device; libpcap currently doesn't support that.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe