Hi Chris, thanks for your input.
On Fri, Oct 23, 2020 at 04:13:17PM +0000, Maynard, Chris via Wireshark-dev wrote: > > I'm currently facing a problem where I need to create pcap files of about > > 26 network devices in parallel. 24 of those are hdlcX devices (by Linux > > kernel > > hdlc_fr), while two are Ethernet devices. So there are different link > > types, but I > > doubt this matters for the remainder of the discussion. > > It matters if you intend to merge different capture files together with > different DLT's, in which case you'll most definitely want to use the pcapng > format to retain the different interfaces and not the pcap format, which > supports only a single encapsulation per file. I was imprecise. In the above sentence, replace "I need to create pcap files" with "I need to create packet captures in whatever format supported by wireshark". So pcap-ng is perfectly fine here. > > The resulting capture file should of course indicate on which particular > > interface a given packet was sent or received. > > If you use pcapng, it will. great. > > Furthermore, when starting a cooked Linux capture on the Linux 'any' > > device, it > > also appears wireshark is not displaying the information about which > > netdevice > > the message was captured. > > Instead of capturing on the "any" interface, you can specify multiple > occurrences of the "-i" option for each interface you intend to > capture from. Yes, this makes the command-line longer and initially > more tedious to construct, especially if you have a large number of > interfaces. Ok, will try that, thanks. Didn't know it was possible, to be honest. > > As far as I know, on AF_PACKET sockets one can do recvmsg() and will then > > get > > a sockaddr_ll structure alongside the actual packet, which contains the > > ifindex > > of the underlying network deivce. Together with the usual sockopt or > > netlink > > based method that can be trnaslated to a device name. > > > > Am I missing something? Is there a specific reason why this information is > > not > > obtained/displayed or written when writing an output file, even in pcap-ng > > mode? > > It should be written, just don't capture on the "any" interface. Thanks, I hear you. However: I'm wondering why that is. Is there any fundamental reason for it? As I stated above, an AF_PACKET socket does not have to be bound to a specific interface (see "man 7 packet") and when recvmsg() is used, you will get the interface index of the interface on a per-packet basis. Am I misunderstanding the capabilities of AF_PACKET sockets? Or is this simply something wireshark never implemented, but it could very well be added. In the latter case, I might be tempted to try cooking up a patch. -- - Harald Welte <lafo...@gnumonks.org> http://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6) ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
