Network media specific capturing
The capture library libpcap / WinPcap, and the underlying packet capture mechanisms it uses, don't support capturing on all network types on all platforms; Wireshark and TShark use libpcap/WinPcap, and thus have the same limitations it does.
This is a table giving the network types supported on various platforms:
|
AIX |
FreeBSD |
HP-UX |
Irix |
Linux |
MacOSX |
NetBSD |
OpenBSD |
Solaris |
Tru64UNIX |
Windows |
Physical Interfaces |
|||||||||||
Unknown |
Unknown |
Unknown |
Unknown |
Yes |
No |
Unknown |
Unknown |
Yes |
Unknown |
Unknown |
|
No |
No |
No |
No |
Yes1 |
No |
No |
No |
No |
No |
No |
|
Unknown |
Yes |
Unknown |
Unknown |
Yes |
Unknown |
Yes |
Yes |
Unknown |
Unknown |
Unknown |
|
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
|
FDDI |
Unknown |
Unknown |
Unknown |
Unknown |
Yes |
No |
Unknown |
Unknown |
Yes |
Unknown |
Unknown |
Unknown |
Unknown |
No |
No |
Yes |
No |
Unknown |
Unknown |
No |
No |
No |
|
No |
No |
No |
No |
Yes |
No |
No |
No |
No |
No |
No |
|
PPP2 |
Unknown |
Unknown |
Unknown |
Unknown |
Yes |
Yes |
Unknown |
Unknown |
No |
Unknown |
Yes |
Yes |
Yes |
Unknown |
No |
Yes |
No |
Yes |
Yes |
Yes |
Unknown |
Yes |
|
No |
No |
No |
No |
Yes3 |
No |
No |
No |
No |
No |
No |
|
WLAN4 |
Unknown |
Yes |
Unknown |
Unknown |
Yes |
Yes |
Yes |
Yes |
Unknown |
Unknown |
Yes |
Virtual Interfaces |
|||||||||||
Unknown |
Yes |
No |
Unknown |
Yes |
Yes |
Yes |
Yes |
No |
Yes |
N/A5 |
|
VLAN Tags |
Yes |
Yes |
Yes |
Unknown |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
- Linux Affix Bluetooth stack only.
- PPP non-control frames only.
- Latest libpcap CVS required (which exact version?).
- On some platforms: WLAN non-control frames only, with fake Ethernet headers, and only traffic to and from the machine doing the capturing.
- Windows does not have a UNIX-style loopback interface.
The following discuss various capture issues for particular types of networks
Physical interfaces
Bluetooth - capture Bluetooth traffic - currently limited to affix stack on linux
CiscoHDLC links - capture on synchronous links using Cisco HDLC encapsulation
DOCSIS - capture raw Cisco DOCSIS cable modem traffic forwarded to Ethernet
Ethernet - capture on different Ethernet topologies, including switched networks
FrameRelay - capture FrameRelay traffic
IrDA - capture IrDA traffic - currently limited to Linux.
PPP links - capture on dial-up lines, ISDN connections and PPP-over-Ethernet (PPPoe, e.g. ADSL)
TokenRing - capture on TokenRing adapters, including promiscuous mode and switched networks
USB - capture of raw USB traffic
WLAN - capture on 802.11 (WLAN, Wi-Fi) interfaces, including "monitor mode" , raw 802.11 headers and radio information
Virtual interfaces
Loopback - capture traffic from a machine to itself, including the IP address 127.0.0.1
Pipes - use UNIX pipes to capture from other applications (even remote!)
WinPcapRemote - WinPcap remote capturing (client for Win32, daemons for Win32 and Linux) - currently not working!
Unsupported media
There are several networks / busses from which Wireshark cannot capture raw data.
However, if the operating system supports it, Wireshark can usually capture network media it knows that "travel" on top of that network / bus.
Example: Wireshark can usual capture Ethernet data from a PCI Ethernet adapter but it cannot capture the raw PCI data transferred over the PCI bus.
Here is an assortment of such networks / busses:
IEEE 1394/!FireWire
- Fibre Channel
- PCI, ISA, PCMCIA (Cardbus) ... and similar busses