I have a library which uses the libpcap to capture a network interface into a pcap file. I now would like to capture multiple interfaces into a single pcap file and ultimately into a pcapng file. I know I can use the interface "any" but from what I understand it would be more efficient to just listen to the interfaces I am interested in. Also in case of vlan it would prevent duplicates (same packet with/without vlan tag).

My idea is create multiple pcap_t instances using pcap_open_live(), and then using a single pcap_dumper_t to dump packets from all interfaces into a single pcap with pcap_dump().

While coding I was surprised that pcap_dump_open() required a pcap_t, I fought that a dumper was independent from the interface it dumps. Digging into the libpcap source code I found that the link-layer type of the pcap_t was used during the pcap_dumper_t creation.

I've done some tests to check what kind of link-layer was used regarding different interfaces and I noted that type 1/EN10MB was used when capturing a single interface and type 113/LINUX_SLL when using "any".

I'm guessing mixing different link-layer type into a single pcap_dumper_t is probably not a good idea, so I'd like to know :

• is there any good practices for my use case ? For instance should I check that all my interfaces uses the same link-layer to prevent dump issues ?
• is there a way to convert a packet into a particular link-layer format before dump ?
• would the pcapng format be useful in my case ? but it seems libpcap is only able to read pcapng and not write it.

I have a library which uses the libpcap to capture a network interface into a pcap file. I now would like to capture multiple interfaces into a single pcap file and ultimately into a pcapng file. I know I can use the interface "any" but from what I understand it would be more efficient to just listen to the interfaces I am interested in. Also in case of vlan it would prevent duplicates (same packet with/without vlan tag).

My idea is create multiple pcap_t instances using pcap_open_live(), and then using a single pcap_dumper_t to dump packets from all interfaces into a single pcap with pcap_dump().

While coding I was surprised that pcap_dump_open() required a pcap_t, I fought that a dumper was independent from the interface it dumps. Digging into the libpcap source code I found that the link-layer type of the pcap_t was used during the pcap_dumper_t creation.

I've done some tests to check what kind of link-layer was used regarding different interfaces and I noted that type 1/EN10MB was used when capturing a single interface and type 113/LINUX_SLL when using "any".

I'm guessing mixing different link-layer type into a single pcap_dumper_t is probably not a good idea, so I'd like to know :

• is there any good practices for my use case ? For instance should I check that all my interfaces uses the same link-layer to prevent dump issues ?
• is there a way to convert a packet into a particular link-layer format before dump ?
• would the pcapng format be useful in my case ? but it seems libpcap is only able to read pcapng and not write it.

• libpcap

1 Answer 1

I'm guessing mixing different link-layer type into a single pcap_dumper_t is probably not a good idea

"Not a good idea" as in "impossible", to be precise.

A pcap_dumper_t can have only one link-layer type because it writes out a pcap file, which has only one link-layer type recorded in the file's header. That means that all packets in that file will be interpreted by programs reading that file (tcpdump, Wireshark, etc.) as if they had the link-layer type. For example, if the type is LINKTYPE_ETHERNET/DLT_EN10MB, all packets will be interpreted as if they were Ethernet packet, even if they aren't, so all non-Ethernet packets, such as LINKTYPE_LINUX_SLL/DLT_LINUX_SLL packets, will be misinterpreted.

is there any good practices for my use case ? For instance should I check that all my interfaces uses the same link-layer to prevent dump issues ?

Yes, you should.

is there a way to convert a packet into a particular link-layer format before dump ?

No simple way. If your software knows the format of the link-layer headers for all the link-layer format, you may be able to remove non-matching link-layer headers and add a matching link-layer header. It might be straightforward to convert LINKTYPE_ETHERNET/DLT_EN10MB packets to LINKTYPE_LINUX_SLL/DLT_LINUX_SLL packets, for example.

would the pcapng format be useful in my case ?

Yes.

but it seems libpcap is only able to read pcapng and not write it.

Yes. You would have to write your own code to write pcapng files.