This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Traffic aggregation

0

Hello Forum

Does Wireshark support to aggregate traffic (Tx and Rx) received from a fullduplex Tap (if the monitoring host (with Wireshark) does feature a dual-interface capture card?

Thank you!

Joseph

asked 13 Sep '16, 09:48

joseph123's gravatar image

joseph123
119912
accept rate: 0%


One Answer:

1

Yes, as in Wireshark is capable of capturing from multiple network interfaces at a time.

answered 13 Sep '16, 12:06

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

It may be worth mentioning that you may have to reorder frames by timestamp if they get recorded out-of-order. This is what reordercap is for, as a command line utility coming with the Wireshark installer.

(13 Sep '16, 13:34) Jasper ♦♦

Thank you for the feedback! I have to admit that I did not yet bought this dual interface capture board. So i was not able to test it myself.

1. You mentioned an aggregation software reordercap. Does that mean the 2 interfaces of that dual interface capture board do appear as a single capture interface in Wireshark?

2. In addition you mentioned timestamping. Would you therefore recommend to buy a dual interface capture bord with timestamping feature?

Thank you!

Joe

(17 Sep '16, 05:26) joseph123
  1. if a capture board is so advanced that it merges the data from the two interfaces itself (and thus probably uses advanced features of pcapng capture format to be able to indicate the direction in which a given frame has been captured), you're unlikely to need reordercap to fiddle with timestamps as such a card is likely to treat them right. But you can e.g. capture at two interfaces on your laptop simultaneously and use one of them per direction, and if one of them is the on-board Ethernet and the other one is an Ethernet over USB adaptor, you may need to compensate the difference in packet travel time from the wire to the kernel. That's where reordercap becomes handy. In this case, you'll have two interfaces, one for A->B direction at the source cable and another one for the B->A one.

  2. whether or not you need a timestamping board depends on the timing precision you need, so on the actual task. They are expensive so compare your real needs to your real budget.

(17 Sep '16, 06:24) sindy
  1. Reordercap is not related to your capture interfaces, it's a capture file processor. It is specifically designed to sort the records in a capture file by time stamp, so that eg. merged or multiple interface captures appear in incremental(1) time order. This may occur when the time stamping of the records takes place at multiple locations (eg. interfaces).

  2. Even though hardware time stamping is more accurate, it's a cost/benefit question. Is the expense of hardware capture and time stamping justified by the need for it. That is something you have to determine.

Note 1: Even though the records are sorted by timestamp, it still depends on the synchronicity of the time stamp functions wether the packets arrived at the capture interfaces in that temporal order. Unless there's hardware synchronised time stamping, this may not be the case.

(17 Sep '16, 07:43) Jaap ♦