Ask Your Question
0

Writing a post-dissector: can I get the mac-address of the capturing interface?

asked 2018-03-13 08:10:00 +0000

Hi,

is there any variable or way to query the value of the capturing-interface to be used into a postdissector?

I know that you can also capture from multiple interfaces at the same time, and this could be a problem, but I'am focusing on single interface capture.

Thanks Gian

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-03-14 00:44:35 +0000

Guy Harris gravatar image

Currently, no.

First of all, not all capture file formats have a provision for recording MAC addresses for capture interfaces as per-interface metadata.

pcapng does support that, but 1) I don't know whether any capturing software currently provides it (Wireshark currently doesn't) and 2) Wireshark doesn't save that information when reading a capture.

edit flag offensive delete link more

Comments

Thank you for the answer. It's a bad luck! I am writing a simple post-dissector that mark any packet as being INbound or OUTbound. The logic is simple: when you are capturing your ethernet network adapter, if eth.src==your-mac-address then it is an outgoing packet, else it is coming in. Every user has to modify the post-dissector based on its specific mac-address, and if we could have got it dynamically then it would have worked completely automatic. Thanks again anyway.

M@xF@actor gravatar image[email protected]@actor ( 2018-03-14 08:08:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-03-13 08:10:00 +0000

Seen: 48 times

Last updated: Mar 14