Network media specific capturing

The capture library libpcap / WinPcap, and the underlying packet capture mechanisms it uses, don't support capturing on all network types on all platforms; Wireshark and TShark use libpcap/WinPcap, and thus have the same limitations it does.

This is a table giving the network types supported on various platforms:

Interface	AIX	FreeBSD	HP‑UX	Irix	Linux	macOS	NetBSD	OpenBSD	Solaris	Tru64 UNIX	Windows
ATM	❔	❔	❔	❔	✅	❌	❔	❔	✅	❔	❔
Bluetooth	❌	❌	❌	❌	✅¹	❌	❌	❌	❌	❌	❌
CiscoHDLC	❔	✅	❔	❔	✅	❔	✅	✅	❔	❔	❔
Ethernet	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
FDDI	❔	❔	❔	❔	✅	❌	❔	❔	✅	❔	❔
FrameRelay	❔	❔	❌	❌	✅	❌	❔	❔	❌	❌	❌
IrDA	❌	❌	❌	❌	✅	❌	❌	❌	❌	❌	❌
PPP²	❔	❔	❔	❔	✅	✅	❔	❔	❌	❔	✅
TokenRing	✅	✅	❔	❌	✅	❌	✅	✅	✅	❔	✅
USB	❌	❌	❌	❌	✅³	❌	❌	❌	❌	❌	❌
WLAN⁴	❔	✅	❔	❔	✅	✅	✅	✅	❔	❔	✅
Loopback (virtual)	❔	✅	❌	❔	✅	✅	✅	✅	✅⁵	✅	N/A⁶
VLAN Tags (virtual)	✅	✅	✅	❔	✅	✅	✅	✅	✅	✅	✅

Linux Affix Bluetooth stack only.
PPP non-control frames only.
Latest libpcap CVS required (which exact version?).
On some platforms: WLAN non-control frames only, with fake Ethernet headers, and only traffic to and from the machine doing the capturing.
Solaris 11 only.
Windows does not have a UNIX-style loopback interface.

The following discuss various capture issues for particular types of networks

Physical interfaces

ATM - capture ATM traffic
Bluetooth - capture Bluetooth traffic - currently limited to affix stack on linux
CiscoHDLC links - capture on synchronous links using Cisco HDLC encapsulation
DOCSIS - capture raw Cisco DOCSIS cable modem traffic forwarded to Ethernet
Ethernet - capture on different Ethernet topologies, including switched networks
FrameRelay - capture FrameRelay traffic
IrDA - capture IrDA traffic - currently limited to Linux.
PPP links - capture on dial-up lines, ISDN connections and PPP-over-Ethernet (PPPoe, e.g. ADSL)
SS7 - capture SS7 traffic on TDM (T1/E1/J1/T3/E3/J3) links
TokenRing - capture on TokenRing adapters, including promiscuous mode and switched networks
USB - capture of raw USB traffic
WLAN - capture on 802.11 (WLAN, Wi-Fi) interfaces, including "monitor mode" , raw 802.11 headers and radio information

Virtual interfaces

Loopback - capture traffic from a machine to itself, including the IP address 127.0.0.1
Pipes - use UNIX pipes to capture from other applications (even remote!)
VLAN - capture VLAN traffic, including VLAN tags
WinPcapRemote - WinPcap remote capturing (client for Win32, daemons for Win32 and Linux) - currently not working!

Unsupported media

There are several networks / busses from which Wireshark cannot capture raw data.

However, if the operating system supports it, Wireshark can usually capture network media it knows that "travel" on top of that network / bus.

Example: Wireshark can usual capture Ethernet data from a PCI Ethernet adapter but it cannot capture the raw PCI data transferred over the PCI bus.

Here is an assortment of such networks / busses:

IEEE 1394/!FireWire
Fibre Channel
PCI, ISA, PCMCIA (Cardbus) ... and similar busses

Imported from https://wiki.wireshark.org/CaptureSetup/NetworkMedia on 2020-08-11 23:11:57 UTC