This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

referencing interface id’s

0

Hello,

How is it possible to dereference interface-ids (0,1,2,3...) in a pcapng trace to the real interface names?

thx for hints, steffen

asked 03 Jul '14, 00:20

Discovery's gravatar image

Discovery
16336
accept rate: 0%


One Answer:

1

PCAPng stores interface name and description, but depending on your OS it may still not be easy to dereference them.

Linux should store the interface name like "eth0" in the interface name value, which makes it easy to find. Just open the summary statistics window to see it.

Under Windows you'll see GUIDs for interface names, and you'll need access to the original capture PC to match them against the NICs. To do that, open the Summary statistics of a PCAPng file, which will list the capture interfaces. Then run "dumpcap -D" on a command line to get a list of capture interfaces, and match the GUID string from the summary to see what string matches which interface.

answered 03 Jul '14, 00:41

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

thx for your very helpful answer. To be shure beeing right: is interface index number (as seen in the trace) order starting with 0 the same as the listed order by "dumpcap -D" starting with 1 or summary tab with missing number - so you can reference using the order?

(03 Jul '14, 02:35) Discovery

Unfortunately, no. The interfaces in the file are starting at 0 for the first interface that was actually used in the capture. So if you see 3 interfaces in dumpcap but use interface 1 and 3 they will appear as interface 0 and 1 in the trace.

You have to match them by name to the "dumpcap -D" output, not by index.

(03 Jul '14, 02:37) Jasper ♦♦