Hello, How is it possible to dereference interface-ids (0,1,2,3...) in a pcapng trace to the real interface names? thx for hints, steffen asked 03 Jul '14, 00:20  Discovery |
One Answer:
PCAPng stores interface name and description, but depending on your OS it may still not be easy to dereference them. Linux should store the interface name like "eth0" in the interface name value, which makes it easy to find. Just open the summary statistics window to see it. Under Windows you'll see GUIDs for interface names, and you'll need access to the original capture PC to match them against the NICs. To do that, open the Summary statistics of a PCAPng file, which will list the capture interfaces. Then run "dumpcap -D" on a command line to get a list of capture interfaces, and match the GUID string from the summary to see what string matches which interface. answered 03 Jul '14, 00:41  Jasper ♦♦ |
thx for your very helpful answer. To be shure beeing right: is interface index number (as seen in the trace) order starting with 0 the same as the listed order by "dumpcap -D" starting with 1 or summary tab with missing number - so you can reference using the order?
Unfortunately, no. The interfaces in the file are starting at 0 for the first interface that was actually used in the capture. So if you see 3 interfaces in dumpcap but use interface 1 and 3 they will appear as interface 0 and 1 in the trace.
You have to match them by name to the "dumpcap -D" output, not by index.