I have 3 NICs in a windows box. NIC1 local network. NIC2 slow ISP. NIC3 fast ISP. What I am trying to do: Capture a couple of thousand packets from all 3 NICs. Then look at a packet that I am interested in and see which NIC is being used. Example I see a packet with the source address of a pc on my lan. Which NIC is it using to connect to the internet? Reason for this: 1 I want to make some of the lan use the slow NIC and the rest to use the fast NIC. 2 Geeky frustration, I believe I should be able to use wireshark to find out the information I want but I am unable to work out how. To solve my some lan to slow NIC problem I think I need to use a static route but AFAIK that relies on destination IP not source IP? If any one can help me out with either of these points, it would save me from continuing to have a headache :) asked 23 Jul '13, 07:52  apaseall |
One Answer:
If you're capturing on the PC on all three interfaces with a single Wireshark instance at the same time, and using PCAPng as capture file format, Wireshark (actually, dumpcap) will keep the interface index used to capture each frame as an integer in the header of each frame. Which you can filter on, or create a column for. Just take a look at the first layer of your packets, and you'll see a line telling you the interface index. On that you can use the popup menu to filter on the number, or also to apply it as a column. If you're not capturing at the same time, or not on the PC itself, or not using PCAPng, you can try to determine the NIC by looking at the MAC the frame was send with. Using IP addresses of the cards will very often not help because Windows is notorious for sending packets on NICs other than the one holding a specific IP in case the NICs are all in the same subnet. Going by MAC should work though. answered 23 Jul '13, 08:35  Jasper ♦♦ |
Thanks Jasper for the reply. I am indeed using wireshark on the pc with all three cards. I captured a couple of thousand packets from all three interfaces at once.
I am not sure what PCAPng is.
I saw the interface index but that is just a number. I tried to find another part of wireshark that would let me know which NIC that number corresponded to failed :(
As for the MAC addresses, I tried looking for them but could not find any that corresponded to any of the known MACs I have. ie not for the 3 NICs in the box, or the switch (connected to NIC1 to get lan) nor the client PC.
I converted your comment to a comment.
I see. "PCAPng" is a file format, which is automatically used since Wireshark 1.8 or later. You can usually tell by the file extension ".pcapng", or by just using the "File Open" dialog which will show you the format in the lower right pane.
Regarding the interface indexes - try opening the "Summary" in the statistics menu. It will list all capture interfaces that were captured on in the current trace. Usually the first line is interface id 0, the second is id 1 and so on. Note the GUID of the interface (the number in the curly brackets), which is the unique identifier the OS uses to identify the card.
Run a command prompt, and type "getmac". It should give you a list of MAC addresses and transport names, with the same GUIDs as you saw in the summary statistics. With that you can map the capture cards to the MACs. With "ipconfig /all" you can map the MACs to the IPs.
Let me know if I'm going to fast and I'll explain the steps in greater detail.
New to this forum so thanks for converting to a comment.
I had not saved the capture. Now I see what the PCAPng is :)
I try and stay away from GUIDs, which I guess is the reason they are so long.
Getmac is a new one for me :) I now have a pile of numbers associated with each NIC (MAC, GUID, IPV4 address, IPV6 address plus the ISP boxes IPV4 address and IPV6 address). Think that should give me something to use whilst looking at the capture.
I'm keeping up so far, going to take a while away from looking into this. Might even be tomorrow before I can sit down with a clear head. I'll let you know how I go on, once I have another bash at it.
Sure, take your time ;-)
I have side stepped the issue for now. I think I understand now how to solve the issue if I need to go back to it.
My solution: NIC3 has the lowest automatic metric. Use NAT with NIC1 internal with NIC2 and NIC3 public. Enter static route to NIC2 for known destination. Basically I went and found out the IP range of the destination I wanted the client to use NIC2 with.
Ugly solution in my mind as what I really want is to split NIC2 and NIC3 usage on LAN IP not destination addresses.