Ask Your Question
0

How can I see the interface name and DLT for a packet in Wireshark

asked 2018-11-20 23:23:44 +0000

dega gravatar image

updated 2018-11-21 20:37:34 +0000

Guy Harris gravatar image

pcapng has the ability to handle simultaneous captures from many interfaces and these interfaces may use different DLT (aka LINKTYPE).
If I use Wireshark to look at a pcapng capture:
- Is there a way to find from which interface a packet is coming from?
- Is there a way to find which DLT was used?

edit retag flag offensive close merge delete

Comments

Do you mean "how can I do this in Wireshark" or do you mean "how can I do this in my own program that reads pcapng files"?

Guy Harris gravatar imageGuy Harris ( 2018-11-21 04:23:57 +0000 )edit

@Guy
To clarify, I added the second sentence.

dega gravatar imagedega ( 2018-11-21 13:38:30 +0000 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2018-11-21 20:34:59 +0000

Guy Harris gravatar image

updated 2018-11-21 20:37:03 +0000

If I use Wireshark to look at a pcapng capture:

  • Is there a way to find from which interface a packet is coming from?

At least with sufficiently recent versions of Wireshark, if you open up the "Frame" item in the packet details pane, the first item under it will be "Interface id", which will show the interface ID number from the packet block and the interface name. Older versions might show only the interface ID number.

  • Is there a way to find which DLT was used?

Raw pcap/pcapng LINKTYPEs aren't made available outside the pcap and pcapng file reader modules, but if you open up the "Frame" item in the packet details pane, the item after "Interface id" will be "Encapsulation type", which will show the link-layer encapsulation type, which, in pcap and pcapng files, reflects the LINKTYPE used.

(DLT_s are used in the libpcap API, but pcap and pcapng files use LINKTYPE_s. Most LINKTYPE_s have the same numerical value as the corresponding DLT_, but there are exceptions, for binary compatibility in some OSes. Not all DLT_s have the same numerical value in all OSes; that's OK for APIs, as programs are generally compiled for particular OSes, but it's not OK for capture files, as a given numerical value for the link-layer type in a file must mean the same thing on all OSes, so there's a separate space of LINKTYPE_ values.)

edit flag offensive delete link more
0

answered 2018-11-21 17:24:17 +0000

cmaynard gravatar image

Is there a way to find from which interface a packet is coming from?

Yes. There are 2 fields that can help you identify the interface, either by "ID" or by name. The ID is just an enumeration of the interfaces by Wireshark beginning with 0. The 2 fields are: frame.interface_id and frame.interface_name.

Is there a way to find which DLT was used?

Yes, there is a way to find out the encapsulation type. The field of interest here is: frame.encap_type.

If you apply the frame.encap_type field as a column, it will show you the resolved encapsulation type by default, but you can have it display the unresolved encapsulation type instead if you wish; however, you will have to manually modify your Wireshark preferences file, replacing the line that reads:

"Encapsulation type", "%Cus:frame.encap_type:0:R",

with this:

"Encapsulation type", "%Cus:frame.encap_type:0:U",

Basically, you replace R for resolved with U for unresolved.

It would be nice if Wireshark allowed you to change the resolved vs. unresolvedsetting for all applicable fields from the GUI. Perhaps an enhancement bug report should be filed for this at https://bugs.wireshark.org/bugzilla/.

edit flag offensive delete link more

Comments

The info can also be seen in the the Statistics -> Capture File Properties dialog, or by using the command line capinfos tool.

grahamb gravatar imagegrahamb ( 2018-11-21 17:32:40 +0000 )edit

Well yes, the relevant interfaces in the capture file can be seen there or with the capinfos tool, but they don't tell you the interface per packet, which I believe is what the question pertained to.

cmaynard gravatar imagecmaynard ( 2018-11-21 17:38:13 +0000 )edit

Agreed, I didn't read the question correctly.

grahamb gravatar imagegrahamb ( 2018-11-21 17:45:01 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-11-20 23:23:44 +0000

Seen: 103 times

Last updated: Nov 21