Wireshark-dev: Re: [Wireshark-dev] Problems with capturing on multiple interfaces
From: Michael Tüxen <Michael.Tuexen@xxxxxxxxxxxxxxxxx>
Date: Sat, 21 May 2011 19:31:39 +0200
On May 20, 2011, at 11:18 PM, Joerg Mayer wrote:

> On Fri, May 20, 2011 at 02:25:38PM +0000, Chris Maynard wrote:
>> To me, if it doesn't work without -n and -t, then it makes it that much more
>> user-friendly to automatically use pcapng and threads whenever multiple
>> interfaces are specified.
> 
> Do we really need pcapng if multiple interfaces of the same type are specified
> or is this "only" to make it possible to see which interface the packet was
> captured on?
Good question: For interfaces with different types you need pcapng to handle
different types. For interfaces of the same type you need pcapng to store
the information on which interface the packet was captured. If you do not
need this information, you could use pcap. My current decision was that
I wanted to have the information on which interface the packet was captured,
so I enforce pcapng. Since wireshark supports pcapng, I do not see a drawback.
If you want to use the capture file with other tools you might want to
convert your pcapng file to pcap. We might want to enhance wireshark to
be able to store suh a file in .pcap format and loosing some information
(maybe it can do it already, haven't looked at it.)
> 
>> And speaking of "-i any", obviously on Windows, that isn't supported ... but a
>> neat thing would be if it could be by internally scanning all interfaces and
>> treating it as if "-i 1 -i 2 ... -i n" were specified.
> 
> I don't quite agree with this: any has a very specific meaning and will (normally)
> create pcap output, while your proposal would create pcapng output. Also the linux
> cooked capture type does not contain a L2 header. Maybe adding a new "all" pseudo
> interface would be better.
I agree totally with you. -i all is much better.
dumpcap -i any
should continue to behave like it does today.

Best regards
Michael
> 
> Ciao
>   Joerg
> -- 
> Joerg Mayer                                           <jmayer@xxxxxxxxx>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>