pcapng has the ability to handle simultaneous captures from many interfaces and these interfaces may use different DLT (aka LINKTYPE).
If I use Wireshark to look at a pcapng capture:
- Is there a way to find from which interface a packet is coming from?
- Is there a way to find which DLT was used?
If I use Wireshark to look at a pcapng capture:
- Is there a way to find from which interface a packet is coming from?
At least with sufficiently recent versions of Wireshark, if you open up the "Frame" item in the packet details pane, the first item under it will be "Interface id", which will show the interface ID number from the packet block and the interface name. Older versions might show only the interface ID number.
- Is there a way to find which DLT was used?
Raw pcap/pcapng LINKTYPEs aren't made available outside the pcap and pcapng file reader modules, but if you open up the "Frame" item in the packet details pane, the item after "Interface id" will be "Encapsulation type", which will show the link-layer encapsulation type, which, in pcap and pcapng files, reflects the LINKTYPE used.
(DLT_s are used in the libpcap API, but pcap and pcapng files use LINKTYPE_s. Most LINKTYPE_s have the same numerical value as the corresponding DLT_, but there are exceptions, for binary compatibility in some OSes. Not all DLT_s have the same numerical value in all OSes; that's OK for APIs, as programs are generally compiled for particular OSes, but it's not OK for capture files, as a given numerical value for the link-layer type in a file must mean the same thing on all OSes, so there's a separate space of LINKTYPE_ values.)
Is there a way to find from which interface a packet is coming from?
Yes. There are 2 fields that can help you identify the interface, either by "ID" or by name. The ID is just an enumeration of the interfaces by Wireshark beginning with 0. The 2 fields are: frame.interface_id and frame.interface_name.
Is there a way to find which DLT was used?
Yes, there is a way to find out the encapsulation type. The field of interest here is: frame.encap_type.
If you apply the frame.encap_type field as a column, it will show you the resolved encapsulation type by default, but you can have it display the unresolved encapsulation type instead if you wish; however, you will have to manually modify your Wireshark preferences file, replacing the line that reads:
"Encapsulation type", "%Cus:frame.encap_type:0:R",
with this:
"Encapsulation type", "%Cus:frame.encap_type:0:U",
Basically, you replace R for resolved with U for unresolved.
It would be nice if Wireshark allowed you to change the resolved vs. unresolvedsetting for all applicable fields from the GUI. Perhaps an enhancement bug report should be filed for this at https://bugs.wireshark.org/bugzilla/.
Asked: 2018-11-20 23:23:44 +0000
Seen: 7,659 times
Last updated: Nov 21 '18
Do you mean "how can I do this in Wireshark" or do you mean "how can I do this in my own program that reads pcapng files"?
@Guy
To clarify, I added the second sentence.