How do I know the name of the interface for the -i flag in windows? I tried the reported name (Intel(r) 82579LM Gigabit Network Connection) both with and without quotes around it.. as well as the interface listed when you go to Capture Interfaces -> Details.. which shows \Devices\NPF_{362508C4-F6CC-4A4A-AB17-9DA1017E4C41} (I tried using just the NPF and the rest to the right with the -i flag) Any help would be great as I'm writing this into a script... asked 20 Jun '12, 08:49  rjr162 converted to question 20 Jun '12, 13:20  grahamb ♦ |
One Answer:
Wireshark (and tshark and dumpcap and windump) all take a -D flag which will display the interface names which can be captured on, and the index of the interfaces. The -i flag will use the index or the name which can be easier for scripting. answered 20 Jun '12, 13:30 grahamb ♦ |
Never mind.. I guess adding the \Devices\ part was the answer!
Note that the "reported name" is, I think, the vendor-supplied description, and that might, on a (probably server) machine with multiple adapters of the same type, not be unique.
Supporting using the description as a "-i" argument might not be a bad idea - it'd presumably fail if there's more than one interface with the same description. You might want to file an enhancement request on the Wireshark bugzilla for that. (Supporting the "friendly name" might also be nice; that'd require extending pcap to support that or having *shark do it directly.)