Help with Bridge

asked 2026-03-20 15:22:42 +0000

skpbtl gravatar image

I am new to wireshark. I am working with the idea of capturing both Tx and Rx streams simultaneously using a passive TAP and Kali. I have read that 2 nic’s are required and can be bridged (Br). Everything works, I am capturing packets. I wanted to verify that I am capturing all packets by running the 2 nic’s and the bridge at the same time with 3 instances of wireshark. The 3 output files (pcapng) were exported and merged into a csv file. The entries are sorted by timestamp. I would expect that for every Br (bridged) entry there would be a corresponding Tx or Rx entry and for every Tx and Rx entry would have a corresponding Br. I don’t have that result. I have some Tx and Rx without a corresponding Br. Every Br that I have seen in the file has a corresponding Rx or Tx. But, not the other way around. Basically, I see that the bridge is not seeing (or recording) all the Tx and Rx packets. Would someone know if this is normal behavior? Obviously this isn’t the way one would normally capture streams. I suspect my computer may not be able to process this much streaming data at the same time. i5-6500T 2.5GHz CPU 32GB memory Computer is dedicated to Kali only, connected to internet only when necessary. I hope this isn’t too confusing.

edit retag flag offensive close merge delete

Comments

Why create a bridge interface when you can just capture on both Ethernet interfaces at once?

SYN-bit gravatar imageSYN-bit ( 2026-03-20 16:12:17 +0000 )edit

As I wrote I was working with the idea of capturing both at the same time. I read in a blog that that was the way to do it. You're spot on with your suggestion. I would only have to merge both files instead having one. It's probably the best way to go. I am still curious as to why I got the results that I did. Thank you.

skpbtl gravatar imageskpbtl ( 2026-03-20 19:34:57 +0000 )edit

You can capture on both interfaces at the same time in tshark and wireshark (and dumpcap), just add double -i <int> parameters, or select multiple interfaces in the Wireshark GUI. All packets will be saved to one file.

I can only guess, but a bridge is used to forward packets from one interface to the other and there is logic when to do that and when not to. So detailed analysis maybe give you some insight, but I would not spend the time on it.

If you want to use your Kali box as a simple TAP, you can use the bridging setup to make sure traffic gets passed between the two ethernet interfaces, but that is a totally different capture setup :-)

SYN-bit gravatar imageSYN-bit ( 2026-03-20 20:34:44 +0000 )edit

Thanks again

skpbtl gravatar imageskpbtl ( 2026-03-20 21:05:42 +0000 )edit
add a comment