(1) on Suse8 and on Windows, there is an ‘any’ interface available, which captures all packets on all interfaces.
Linux has it, Windows doesn’t. The Linux networking stack lets you have a PF_PACKET socket that’s not bound to a network interface, and that receives packets from all interfaces. Win Pcap doesn’t support that; it might be that NDIS doesn’t let you capture packets without connecting to a particular interface.
(2) On Solaris (eri and qfe) this interface seems to be not available.
DLPI, as used on various OSes including Solaris, doesn’t support that either, so there’s no “any” device.
(3) I’m using a lot of subinterfaces on the box (qfe0:1 … 18). What I’ve experienced in addition is, that I can not see packets sent from one subinterface to an other (e.g. qfe0:2 > qfe0:6), which I have to use for testing purposes.
Packets sent from a machine to itself are, as far as I know, on Solaris, not supplied to DLPI, and are therefore uncapturable by libpcap.
