2
1
I know that before capturing packets, I can select specific interface.
I wonder is there any filter to distinguish different interfaces after I capture packets?
That is, at the beginning, I capture packets of all interfaces.
After that, I can using "some filter" for different interfaces.
Does anyone know about it?
joyce7216
Posted 2011-08-18T03:09:42.977
Reputation: 23
0
The "Linux cooked" capture mode doesn't distinguish in any way between packets from different interfaces. You can only filter the results by IP address.
user1686
Posted 2011-08-18T03:09:42.977
Reputation: 283 655
2
Since Wireshark 1.8 and while using the pcap-ng capture format you can use frame.interface_id. It is a number of the interface the frame was captured from. To map the number to the actual interface see the Statistics > Summary window. The first interface in the table has number 0 and the other follow.
I tested this on Ubuntu 12.04.3 (kernel 3.2.0-57), Wireshark 1.10.3.
For additional details see:
pabouk
Posted 2011-08-18T03:09:42.977
Reputation: 5 358
0
You can filter a bit when you are using Linux cooked capture, using the SLL filter. Take a look at http://wiki.wireshark.org/SLL, and look for options in the Filter Expression window.
Although you can't exactly filter each interface, you can for example select the type of interface with 'sll.hatype == 1' for ethernet or 'sll.hatype == 512' for ppp interfaces (see values in if_arp.h header file).
Julio Diez
Posted 2011-08-18T03:09:42.977
Reputation: 1