On Feb 6, 2018, at 9:20 AM, Richard Sharpe <[email protected]> wrote:
> On Tue, Feb 6, 2018 at 9:07 AM, S. Jacobi <[email protected]> wrote: >> On Tue, 6 Feb 2018 09:05:14 -0800 >> Richard Sharpe <[email protected]> wrote: >> >>> As far as I am aware it is the kernel that is doing this. Also, I >>> believe that only Linux supports the any device. >> >> We are on Linux, yes, but we don't capture from any. tshark allows to >> specify multiple interfaces. > > I have not looked at the code, but I suspect that it is something like this: > > https://stackoverflow.com/questions/37294540/binding-the-af-packet-socket-to-all-interfaces > > That is, the kernel is doing it. That's how the "any" device is implemented by libpcap, so that's what happens if you capture on the "any" device. However, if, in Wireshark or TShark or dumpcap, you capture from an explicitly specified list of interfaces containing more than one interface, there are multiple pcap_t's open, and packets are separately received from all of those pcap_t's and those are written to a single capture file. So if they aren't in timestamp order when you explicitly capture on more than one interface, that's dumpcap's fault (which means it's the fault of "Wireshark", in the sense of the entire Wireshark release, as dumpcap is the program that does the packet capturing for Wireshark and TShark), not the fault of the OS kernel. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <[email protected]> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:[email protected]?subject=unsubscribe
