Information about ingress/egress network interface in captures
I'm using Wireshark to sniff Ethernet interfaces on a Linux machine.
I noticed a couple of limitations that make life harder for me when it comes to interpreting the captures:
- When capturing on an individual Ethernet interface, the capture does not show packet direction: did the packet come in or out of the interface?
- When capturing on a bridge interface (as in,
brctl/ip link add XXX type bridge), the capture does not show which underlying interface received the packet.- For example, if the bridge includes interfaces
eth0andeth1, I'd like Wireshark to tell me if a given packet arrived oneth0or oneth1.
- For example, if the bridge includes interfaces
Is there any way to lift or otherwise work around these limitations?
One option is to capture on
eth0andeth1simultaneously as separate interfaces, instead of capturing on the bridge interface. Then (when using pcapng, as is the default currently) the interface is indicated in theframeprotocol.