This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Right interface to use with tshark under windows

0

In linux I use ifconfig to figure out which interface to listen to when capturing packets

I know tshark -D gives me an interface list, but how can I know which one maps to which network?

$ /cygdrive/c/Program\ Files/Wireshark/tshark.exe -D
 1. \Device\NPF_{0B6A8C2B-B33C-4D84-9EAC-486FA6DCE537} (Microsoft)
 2. \Device\NPF_{A0C97C2A-33C3-4EDD-A257-A19E6F70D0A6} (Intel(R) 82579LM Gigabit Network Connection)

I am specifically interested in recording traffic received from a specific peer. In linux my script creates a temporary socket just to use netstat and get the local address used with that connection, then I use ifconfig to figure out the interface name used that has that local address. I am not quite sure how to correlate the interface names listed in tshark -D with the ones listed in ipconfig...

Thanks

asked 17 Apr '13, 23:19

nhed's gravatar image

nhed
16114
accept rate: 0%

2 Answers:

4

You can use dumpcap with option -M. That will print the IP address of the interfaces (unfortunately tshark does not know -M).

dumpcap -D -M

Example:

1. \Device\NPF_GenericDialupAdapter             Adapter for generic dialup and VPN capture network
2. \Device\NPF_{A3940B42-C4FC-408A-992A-4950283AFE0D}   VMware Accelerated AMD PCNet Adapter (Microsoft's Packet Scheduler) LAN-Verbindung 192.168.158.139 network

Regards
Kurt

answered 18 Apr '13, 01:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 18 Apr '13, 01:31

1

And so we learn something new every day :-)

(18 Apr '13, 01:37) SYN-bit ♦♦
1

That's one reason why I'm here. Learning new things about a tool I'm using for quite some time ;-)

(18 Apr '13, 01:42) Kurt Knochner ♦
2

Is there any reason not to just dispense with the -M option and modify -D, -L and -S to simply print the added information that -M would have supplied? (Well actually, I'm not sure what, if anything, -M adds to the -S output, despite the help indicating, somewhat cryptically in my opinion that, "for -D, -L, and -S, produce machine-readable output".) And then of course, for tshark and wireshark to also display that added information in their -D and -L output as well.

(18 Apr '13, 06:09) cmaynard ♦♦

Is there any reason not to just dispense with the -M option and modify -D, -L and -S to simply print the added information that -M would have supplied?

+1

I'm not sure what, if anything, -M adds to the -S output,

it prevents the header from being printed. Why is that better 'machine readable'? O.K. you don't have to handle that header, but skipping one line of input is not unsolvable ;-)

BTW: from the file dumpcap.c.

a comment of print_machine_readable_interfaces() says:

The actual output of this function can be viewed with the command "dumpcap -D -Z none"

apparently, the output of 'dumpcap -D -M' is identical to 'dumpcap -D -Z none'.

(18 Apr '13, 07:27) Kurt Knochner ♦

OK, well -M has been around for a while now, since r22367, so I'll let those more familiar with it comment as to whether or not it's acceptable to remove it and change the -D, -M and -S behavior.

(18 Apr '13, 08:35) cmaynard ♦♦

0

You can use ipconfig /All to list the interfaces, it will show you the uuid (0B6A8C2B-B33C-4D84-9EAC-486FA6DCE537 and A0C97C2A-33C3-4EDD-A257-A19E6F70D0A6 in your example) together with the IP settings

answered 17 Apr '13, 23:57

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Sorry ... no correlation that I can see ...

(18 Apr '13, 07:10) nhed