Network media specific capturing
The capture library libpcap / WinPcap, and the underlying packet capture mechanisms it uses, don't support capturing on all network types on all platforms; Wireshark and TShark use libpcap/WinPcap, and thus have the same limitations it does.
This is a table giving the network types supported on various platforms:
| Interface | AIX | FreeBSD | HP‑UX | Irix | Linux | macOS | NetBSD | OpenBSD | Solaris | Tru64 UNIX | Windows |
|---|---|---|---|---|---|---|---|---|---|---|---|
| ATM | |||||||||||
| Bluetooth | |||||||||||
| CiscoHDLC | |||||||||||
| Ethernet | |||||||||||
| FDDI | |||||||||||
| FrameRelay | |||||||||||
| IrDA | |||||||||||
| PPP2 | |||||||||||
| TokenRing | |||||||||||
| USB | |||||||||||
| WLAN4 | |||||||||||
| Loopback (virtual) | N/A5 | ||||||||||
| VLAN Tags (virtual) |
- Linux Affix Bluetooth stack only.
- PPP non-control frames only.
- Latest libpcap CVS required (which exact version?).
- On some platforms: WLAN non-control frames only, with fake Ethernet headers, and only traffic to and from the machine doing the capturing.
- Windows does not have a UNIX-style loopback interface.
The following discuss various capture issues for particular types of networks
Physical interfaces
-
Bluetooth - capture Bluetooth traffic - currently limited to affix stack on linux
-
CiscoHDLC links - capture on synchronous links using Cisco HDLC encapsulation
-
DOCSIS - capture raw Cisco DOCSIS cable modem traffic forwarded to Ethernet
-
Ethernet - capture on different Ethernet topologies, including switched networks
-
FrameRelay - capture FrameRelay traffic
-
IrDA - capture IrDA traffic - currently limited to Linux.
-
PPP links - capture on dial-up lines, ISDN connections and PPP-over-Ethernet (PPPoe, e.g. ADSL)
-
TokenRing - capture on TokenRing adapters, including promiscuous mode and switched networks
-
USB - capture of raw USB traffic
-
WLAN - capture on 802.11 (WLAN, Wi-Fi) interfaces, including "monitor mode" , raw 802.11 headers and radio information
Virtual interfaces
-
Loopback - capture traffic from a machine to itself, including the IP address 127.0.0.1
-
Pipes - use UNIX pipes to capture from other applications (even remote!)
-
WinPcapRemote - WinPcap remote capturing (client for Win32, daemons for Win32 and Linux) - currently not working!
Unsupported media
There are several networks / busses from which Wireshark cannot capture raw data.
However, if the operating system supports it, Wireshark can usually capture network media it knows that "travel" on top of that network / bus.
Example: Wireshark can usual capture Ethernet data from a PCI Ethernet adapter but it cannot capture the raw PCI data transferred over the PCI bus.
Here is an assortment of such networks / busses:
-
IEEE 1394/!FireWire
-
Fibre Channel
-
PCI, ISA, PCMCIA (Cardbus) … and similar busses
Imported from https://wiki.wireshark.org/CaptureSetup/NetworkMedia on 2020-08-11 23:11:57 UTC