Ethereal-dev: [Ethereal-dev] Capturing from multiple interfaces, and why we need this.

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sun, 01 Feb 2004 12:03:02 +0100
Hi List!

Currently, Ethereal can only capture from one interface at once.
To be able to capture on a full duplex Ethernet without interfering the net, you have to think about how to do this. As some of my colleques are doing network troubleshooting, they have a problem here.
The usual network troubleshooter will connect a notebook to the existing ethernet "somehow". It's preferrable to change the existing network at minmal as possible, as it will modify the network itself, and the network professionals at that place will not be pleased, if you install several new hardware components to 
their network, so:

a) if you use a hub, this will switch back the connection to halfduplex
b) if you add a managable switch (with a monitoring port), this will change the network configuration and these devices are sometimes not easy to configure themself (so you add another point of failure) 
c) add a network tap
To c): a network tap is plugged between a switch and the device under test and will be (almost) passive to the measured network. It will hand out both directions of the full duplex connection with two ethernet plugs. So if you want to capture now, you must do this from two ethernet interface at once.
BTW: we might need a HowTo, which describes the possible ways for connection Ethereal to an existing network, 
as this isn't obvious for some (network novice) user.

Now Ethereal comes in the discussion:

a) you cannot capture from multiple interfaces at once :-(((
b) you can capture using multiple instances of Ethereal and merge them together using mergecap, but thats very uncomfortable :-( c) as far as I know, on unix (linux only?) you can use an "all" interface, which will capture from all interface at once. But as I'm (and "my users") are usually using the Win32 platform, this doesn't help me very much :-( d) use a completely different tool for capturing and doing only the analyzing in Ethereal, but thats not very comfortable, too :-(
As it's been one strong criteria against Ethereal and for some other analyzer, I'm thinking about how this could be changed. 
I currently see the following solutions (most interesting first):
a) enable Ethereal to capture from multiple interfaces at once and do the merging "on the fly" 
b) enable Winpcap to support the "all" interface, like in the unix versions
c) integrate a seperate capture tool into the GUI, which is capable of doing multiple interface capturing
I understand this might be a lot of work, but as this is a limitation and becoming more and more a criterion for not using Ethereal at all, 
I think this effort should be spend.
Before doing anything on the code, I would like to hear some comments about this. 

Regards, ULFL