Capture on all interfaces in tshark without mentioning interface id's please help on this asked 26 Mar '14, 05:43  shreeshail |
One Answer:
on Linux, Unix, *BSD you can use
on Windows, any does not work, so you'll have to specify the interface ID or number
You can get the interface number with
Regards answered 26 Mar '14, 08:46  Kurt Knochner ♦ edited 26 Mar '14, 08:47 showing 5 of 6 show 1 more comments |
Just for completeness, the
nflag has nothing to do with the interface specification, it disables name resolution.I have no idea what the
Mflag does but I don't require it on Windows to get the interface id numbers. Note the id number to use with the-iflag is the digit at the start, you no longer need to use the long guid name.sure. Just an old habit of mine. I always use -ni, as I type it without thinking ;-)
it prints "machine-readable" output, according to the man page, but the more interesting part: It prints the IP address, which helps to identify the right interface.
Duh, I was looking at tshark with the -D, not dumpcap. For whatever reason tshark doesn't have that flag, maybe it should.
I believe I suggested it here some time ago (maybe 1-2 years), but I never opened an enhancement request nor did I feel a strong temptation to change the code myself ;-)
Thanks Kurt Knochner
Is this possible to get 'interface id' given the 'interface ip address' since I will get ip address as user input. Or is there any way i can provide directly ip address of interface to tshark as argument in place of interface id..?
No that's not possible. You'll have to parse the output of
dumpcap -D -Mand search for the IP address to get the interface number.