 | 1 | initial version |
Is there a way to find from which interface a packet is coming from?
Yes. There are 2 fields that can help you identify the interface, either by "ID" or by name. The ID is just an enumeration of the interfaces by Wireshark beginning with 0. The 2 fields are: frame.interface_id and frame.interface_name.
Is there a way to find which DLT was used?
Yes, there is a way to find out the encapsulation type. The field of interest here is: frame.encap_type.
If you apply the frame.encap_type field as a column, it will show you the resolved encapsulation type by default, but you can have it display the unresolved encapsulation type instead if you wish; however, you will have to manually modify your Wireshark preferences file, replacing the line that reads:
"Encapsulation type", "%Cus:frame.encap_type:0:R",
with this:
"Encapsulation type", "%Cus:frame.encap_type:0:U",
Basically, you replace R for resolved with U for unresolved.
It would be nice if Wireshark allowed you to change the resolved vs. unresolved setting for all applicable fields from the GUI. Perhaps an enhancement bug report should be filed for this at https://bugs.wireshark.org/bugzilla/.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.