Wireshark-users: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
On Jun 27, 2012, at 9:13 AM, Tamás Varga wrote:
> Hi Guy, is this also means that there is no way today to display or filter packets based on the interface they have been captured? /Tamas
You can use a display filter like
frame.interface_id == 0
or so to only display packets captured on that interface.
Best regards
Michael
>
> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
> Sent: Tuesday, June 26, 2012 23:26
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] Wireshark V1.8.0 - analysing dual NIC capture
>
>
> On Jun 26, 2012, at 1:56 PM, Jeff Morriss wrote:
>
>> Pretty much, yes. The intent (I think) was just to allow capturing on
>> 2 interfaces simultaneously (rather than having to run 2
>> Wiresharks/dumpcaps and then merge the traces offline).
>>
>> But nothing was added to separate out potentially-duplicated traffic.
>> (The use case is more for multi-homed hosts.)
>
> Yes. Not all ways you can perform multi-interface capture are necessarily *useful*. Think of it as being similar to the "any" device on Linux (the differences are that
>
> 1) you can control options on individual interfaces separately;
>
> 2) the interfaces can supply different link-layer header types;
>
> 3) you have to specify the list of interfaces when you start the capture).
> ___________________________________________________________________________
> Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>