On Dec 5, 2012, at 2:56 PM, Paul Sheer <paulsh...@gmail.com> wrote: > I would like to capture on all interfaces, but I would also like to know, > with each packet, what interface it arrived on and left out of. > > This information is contained within the Linux kernel skbuff. > > But pcap does not see it.
What's really wanted there is a new API and pcap-ng support, so that the interface ID and interface information can be present in the capture file. You could capture with multiple pcap_t's, one for each interface, but not with the "any" device, as that doesn't supply the interface index. > I also want to see both source and destination hardware addresses of the > Ethernet packet (if it is Ethernet). > > I guess this feature requires kernel changes. If the kernel allows an unbound PF_PACKET/SOCK_RAW socket, you could get that, but filtering would be difficult unless all interfaces have the same ARPHRD_ type - in-kernel filtering might apply to the socket, in which case it might be difficult or impossible to do it (the BPF program would have to determine the link-layer header type for the packet and jump to the appropriate filtering code), and userland filtering might be tricky as well (it would have to determine the link-layer header type for each interface and apply the appropriate filter). If you do this by capturing on multiple pcap_t's, that's easier. > The second problem is that tcpdump seems to have no way of listening on all > interfaces. So if you are trying to track SCTP packets that use two separate > interfaces, it seems you have to use wireshark instead. The only way tcpdump currently supports for listening on all interfaces is the "any" device. If it could write pcap-ng files, it could do the same thing Wireshark does - open multiple pcap_t's and capture on all of them. _______________________________________________ tcpdump-workers mailing list tcpdump-workers@lists.tcpdump.org https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
