Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-02-14 20:47:54 +0000

Guy Harris gravatar image

I am unable to add 'bluetooth-monitor' as an interface to nftables even to test.

Not all of the entities on which you can capture correspond to "normal" interfaces on the operating system for the machine running Wireshark.

For one thing, libpcap - which is the library used by tcpdump, Wireshark, and other programs to do packet captures - supports additional capture devices that don't correspond to network interfaces that show up in the OS networking stack. For example, on Linux, there are:

  • devices to support capturing raw USB traffic on the machine's USB buses (this is different from capturing on USB network interfaces, which uses the standard network stack plumbing; it can capture USB traffic to all USB devices, including, for example, disks, keyboards, mice, etc.);
  • devices to support netfilter traffic;
  • devices to support Bluetooth traffic.

bluetooth-monitor is one of those devices; as it's not a regular network device, ifconfig, ip, and nftables don't know that it exists.

In addition, Wireshark has its own mechanism, the "external capture" or "extcap" mechanism, which allows writing programs (in a compiled or scripting language) to support capturing. Those are also unknown to the OS's networking stack.

what may be causing Wireshark to start slower?

The "external capture"/"extcap" devices can do so. See @Jaap's comment, and try doing what he suggests. If turning on "Disable external capture interfaces" makes Wireshark start faster, the problem is that one of the extcap programs is taking a while to start up.