Ask Your Question
0

How to display the interface name on trace

asked 2020-10-04 11:00:01 +0000

Bryon gravatar image

updated 2020-10-04 11:00:19 +0000

Hi, I am debugging an asymetric routing issue and need to trace on two interfaces. I am trying to work out if I can display the interface that a packet was captured on so I can see the impact of configuring routing tables as I make changes.

Here is my command:

tshark -i eno1 -i enp5s0 -T fields -E header=y -e ip.src -e ip.dst -e _ws.col.Protocol -e _ws.col.Info -Y "(ip.src==192.10.10.30 && ip.dst==192.10.0.50) || (ip.src==192.10.0.50 && ip.dst==192.10.10.30)"
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-10-04 13:29:14 +0000

grahamb gravatar image

There are three fields that may be of use in this case:

  • frame.interface_id
  • frame.interface_name
  • frame.interface_description

The actual info in these fields depends somewhat on the capturing platform and capture file format, I'm uncertain but think interface_id is the id of the interface counting from 0 as they are found in the capture file so doesn't actually relate to the physical interface.

edit flag offensive delete link more

Comments

Thanks. I was looking in the Wireshark doco (https://www.wireshark.org/docs/dfref/) and could not make the connection between what is displayed and the options on the command line. Now I understand how to navigate it. And in 20 seconds of adding the interface name I can now see exactly what is going on with my asymetric route issue. Thanks!

Bryon gravatar imageBryon ( 2020-10-04 21:51:35 +0000 )edit

The actual info in these fields depends somewhat on the capturing platform and capture file format,

The only formats supported for live captures are pcapng, which is the default and provides interface information, and pcap, which provides no interface information and isn't supported for capturing on multiple interface (dumpcap switches to pcapng and ignores the -P flag).

On all platforms, you should get an interface name; on UN*Xes, it'll be what one generally thinks of as the "interface name" ("en0", "eth0", "lo0", "xyzzy17", etc.), and on Windows, it's the ugly meaningless string with a GUID in it.

On some platforms, you may get an interface description; on Windows, it's probably what you want, as it's somewhat human-readable.

The person asking the question is probably using Linux, given the interface name "enp5s0", and that'a UN*X, so they probably want the interface name.

I ...

(more)
Guy Harris gravatar imageGuy Harris ( 2020-10-04 23:29:05 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-10-04 11:00:01 +0000

Seen: 78 times

Last updated: Oct 04