 | 1 | initial version |
If I use Wireshark to look at a pcapng capture: - Is there a way to find from which interface a packet is coming from?
At least with sufficiently recent versions of Wireshark, if you open up the "Frame" item in the packet details pane, the first item under it will be "Interface id", which will show the interface ID number from the packet block and the interface name. Older versions might show only the interface ID number.
- Is there a way to find which DLT was used?
Raw pcap/pcapng LINKTYPE_s aren't made available outside the pcap and pcapng file reader modules, but if you open up the "Frame" item in the packet details pane, the item after "Interface id" will be "Encapsulation type", which will show the link-layer encapsulation type, which, in pcap and pcapng files, reflects the LINKTYPE_ used.
(DLT_s are used in the libpcap API, but pcap and pcapng files use LINKTYPE_s. Most LINKTYPE_s have the same numerical value as the corresponding DLT_, but there are exceptions, for binary compatibility in some OSes. Not all DLT_s have the same numerical value in all OSes; that's OK for APIs, as programs are generally compiled for particular OSes, but it's not OK for capture files, as a given numerical value for the link-layer type in a file must mean the same thing on all OSes, so there's a separate space of LINKTYPE_ values.)
| | 2 | No.2 Revision |
If I use Wireshark to look at a pcapng
capture:capture: - Is there a way to find from which interface a packet is coming from?
At least with sufficiently recent versions of Wireshark, if you open up the "Frame" item in the packet details pane, the first item under it will be "Interface id", which will show the interface ID number from the packet block and the interface name. Older versions might show only the interface ID number.
- Is there a way to find which DLT was used?
Raw pcap/pcapng LINKTYPE_s aren't made available outside the pcap and pcapng file reader modules, but if you open up the "Frame" item in the packet details pane, the item after "Interface id" will be "Encapsulation type", which will show the link-layer encapsulation type, which, in pcap and pcapng files, reflects the LINKTYPE_ used.
(DLT_s are used in the libpcap API, but pcap and pcapng files use LINKTYPE_s. Most LINKTYPE_s have the same numerical value as the corresponding DLT_, but there are exceptions, for binary compatibility in some OSes. Not all DLT_s have the same numerical value in all OSes; that's OK for APIs, as programs are generally compiled for particular OSes, but it's not OK for capture files, as a given numerical value for the link-layer type in a file must mean the same thing on all OSes, so there's a separate space of LINKTYPE_ values.)
| | 3 | No.3 Revision |
If I use Wireshark to look at a pcapng
capture: -capture:
- Is there a way to find from which interface a packet is coming from?
At least with sufficiently recent versions of Wireshark, if you open up the "Frame" item in the packet details pane, the first item under it will be "Interface id", which will show the interface ID number from the packet block and the interface name. Older versions might show only the interface ID number.
- Is there a way to find which DLT was used?
Raw pcap/pcapng LINKTYPE_s aren't made available outside the pcap and pcapng file reader modules, but if you open up the "Frame" item in the packet details pane, the item after "Interface id" will be "Encapsulation type", which will show the link-layer encapsulation type, which, in pcap and pcapng files, reflects the LINKTYPE_ used.
(DLT_s are used in the libpcap API, but pcap and pcapng files use LINKTYPE_s. Most LINKTYPE_s have the same numerical value as the corresponding DLT_, but there are exceptions, for binary compatibility in some OSes. Not all DLT_s have the same numerical value in all OSes; that's OK for APIs, as programs are generally compiled for particular OSes, but it's not OK for capture files, as a given numerical value for the link-layer type in a file must mean the same thing on all OSes, so there's a separate space of LINKTYPE_ values.)
| | 4 | No.4 Revision |
If I use Wireshark to look at a pcapng capture:
- Is there a way to find from which interface a packet is coming from?
At least with sufficiently recent versions of Wireshark, if you open up the "Frame" item in the packet details pane, the first item under it will be "Interface id", which will show the interface ID number from the packet block and the interface name. Older versions might show only the interface ID number.
- Is there a way to find which DLT was used?
Raw pcap/pcapng LINKTYPE_s aren't made available outside the pcap and pcapng file reader modules, but if you open up the "Frame" item in the packet details pane, the item after "Interface id" will be "Encapsulation type", which will show the link-layer encapsulation type, which, in pcap and pcapng files, reflects the LINKTYPE_ used.
(DLT_s are used in the libpcap API, but pcap and pcapng files use LINKTYPE_s. Most LINKTYPE_s have the same numerical value as the corresponding DLT_, but there are exceptions, for binary compatibility in some OSes. Not all DLT_s have the same numerical value in all OSes; that's OK for APIs, as programs are generally compiled for particular OSes, but it's not OK for capture files, as a given numerical value for the link-layer type in a file must mean the same thing on all OSes, so there's a separate space of LINKTYPE_ values.)
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
