cool
i would encourage tcpdump-workers to try to eventually support opening up
multiple devices and listening on all of them
for instance, the command,
tcpdump -e -i any
that would show output like:
11:42:25.170257 >eth1 00:24:bf:5b:d4:d6 > 00:0c:29:f7:7f:e9,
ethertype IPv4 (0x0800), length ....
11:42:25.171312 <eth2 00:30:c1:9d:8d:80 > 00:22:54:7b:41:06,
ethertype IPv4 (0x0800), length ....
(where ">eth1" means "arrived at eth1", and "<eth2" means "sent by eth2" )
is *extremely* useful.
-paul
On Wed, Dec 5, 2012 at 5:24 PM, Guy Harris <g...@alum.mit.edu> wrote:
>
> On Dec 5, 2012, at 2:56 PM, Paul Sheer <paulsh...@gmail.com> wrote:
>
> > I would like to capture on all interfaces, but I would also like to
> know, with each packet, what interface it arrived on and left out of.
> >
> > This information is contained within the Linux kernel skbuff.
> >
> > But pcap does not see it.
>
> What's really wanted there is a new API and pcap-ng support, so that the
> interface ID and interface information can be present in the capture file.
> You could capture with multiple pcap_t's, one for each interface, but not
> with the "any" device, as that doesn't supply the interface index.
>
> > I also want to see both source and destination hardware addresses of the
> Ethernet packet (if it is Ethernet).
> >
> > I guess this feature requires kernel changes.
>
> If the kernel allows an unbound PF_PACKET/SOCK_RAW socket, you could get
> that, but filtering would be difficult unless all interfaces have the same
> ARPHRD_ type - in-kernel filtering might apply to the socket, in which case
> it might be difficult or impossible to do it (the BPF program would have to
> determine the link-layer header type for the packet and jump to the
> appropriate filtering code), and userland filtering might be tricky as well
> (it would have to determine the link-layer header type for each interface
> and apply the appropriate filter).
>
> If you do this by capturing on multiple pcap_t's, that's easier.
>
> > The second problem is that tcpdump seems to have no way of listening on
> all interfaces. So if you are trying to track SCTP packets that use two
> separate interfaces, it seems you have to use wireshark instead.
>
> The only way tcpdump currently supports for listening on all interfaces is
> the "any" device. If it could write pcap-ng files, it could do the same
> thing Wireshark does - open multiple pcap_t's and capture on all of them.
>
_______________________________________________
tcpdump-workers mailing list
tcpdump-workers@lists.tcpdump.org
https://lists.sandelman.ca/mailman/listinfo/tcpdump-workers
