> On another note, the newer versions of tcpdump read from all interfaces
> simultaneously.
It can do so *on Linux*, because, on Linux, you don't have to bind a
PF_PACKET socket to an interface and, if you don't, it listens on all
interfaces.
It also depends on being able to run PF_PACKET sockets in SOCK_DGRAM
mode, so that the actual underlying link-layer type of the packets is
hidden from the capturing program, so that a single capture filter BPF
program can be used on all those interfaces.
I.e., it's Linux-specific.
There are other ways of reading from multiple interfaces - one could,
for example, open each interface individually, and have the capture loop
do something like a "select()" or "poll()" on UNIX - or a
"WaitForMultipleEvents()" on Windows - and WinPcap 2.1 allows one to get
a handle for the event for a libpcap stream, so one could probably do
that on Windows.
(However, so far, my attempt to do that with one event hasn't worked -
but it's probably either a bug in GLib for Win32 or in the way my code
is using it; I haven't had time to debug it yet.)
Such a mechanism would require a new capture file format, giving each
captured packet a separate link-layer type (or storing a list of
interfaces in the front of the capture file, specifying names and
link-layer types for the interfaces, and giving each captured packet an
indication of the interface on which it was captured).
> Will such function be available on windows any time soon
> (is it a pcap limitation?) for ethereal?
Probably not any time soon; as per the above, there's a fair bit of
infrastructure work that would be needed.
