Re: dumpcap, interfaces, and promiscuous mode

[Stephen Hemminger <stephen@networkplumber.org>]

On Tue, 27 Dec 2022 09:26:14 -0500
Ben Magistro <koncept1@gmail.com> wrote:

> I'd like to start out by saying what I believed to be a simple change
> (a8dde09 ("app/dumpcap: allow help/version without primary process")) seems
> to have had more ripples than I anticipated.  I'd like to just get a
> conversation going here before developing/submitting a patch.  I think this
> will likely need to be at least two patches just to keep scope in check.
> 
> With regard to interface selection, the most recent patch (7f3623a
> ("app/dumpcap: fix select interface")) breaks capturing on
> multiple interfaces.  You can still specify the `-i` option as many times
> as you would like but only the last entry is used in the capture selection
> as each entry just overwrites the previous entry.  I believe this needs to
> be flipped to an array or similar structure that can have entries
> appended to it as the arguments are processed.  Selecting all interfaces
> with the asterisk seems to be unaffected but could also result in capturing
> traffic on unnecessary interfaces.
> 
> With regard to promiscuous mode, there are two areas of concern here.  The
> first is this flag is global and not per interface.  I can envision a
> scenario where you might want to capture on one interface in promiscuous
> mode and on a second not in promiscuous mode.  My first thought is to make
> this option follow the interface parameter then when parsing arguments so
> that it can be associated with a specific interface.  The second is that if
> I run a capture in promiscuous mode and then stop the capture, it will also
> disable promiscuous mode.  Generally I think I would agree with this
> behavior as it follows how a typical call to tcpdump should behave.  The
> concern here though is that that the main process may have been
> started/running with promiscuous mode and stopping a capture would change
> that mode for the main process.  My first thought here is to query the
> initial state and check that when quitting to know if it should disable
> promiscuous mode or not.  This brings me to another aspect here and I don't
> think changing the behaviour of the `-p` flag is appropriate, but can see
> maybe adding an option to inherit the main process's promiscuous state(s)
> when starting.
> 
> Happy to try and work on some of these changes but want to talk through the
> issues first so we can try to address all of them.
> 
> Cheers,
> 
> Ben Magistro

I believe all this got fixed by the 22.11 version.
Since dumpcap has interface parameter, it should only enable the ones it
is using.

The user interface for the DPDK version of dumpcap is modeled after
the wireshark version. In general would not like to invent lots of new
DPDK specific options here.