I've posted an 'experimental' patch/hack to dumpcap in Bug #7300. https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7300
The dumpcap implementation assumes that there is a one-to-one mapping between capture sources (pipe or pcap device) and physical interfaces, and so assigns one pcap-NG 'Interface Id' per source. This is fine for conventional capture sources, but does not support devices that represent more than one physical interface well. The patch adds support for DLT_ERF captures via libpcap. Since a LINKTYPE_ERF represents up to 4 interfaces, I assign 3 additional sequential Interface Ids, which creates additional IDBs in the captured file. It seems possible that a pipe data source with DLT_PPI or DLT_ERF could also represent more than one interface. Also in future libpcap may support some native form of multiple-interface capture, either with or without pcap-NG capture APIs? I'm not suggesting patch this is the best solution, although it is functional. Any thoughts? Is it worth adding an explicit 'capture device to multi-interface' abstraction layer in dumpcap? Stephen ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: http://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
