Although tcpdump listens on all devices if called *without* '-i', there doesn't exist a possibility to express such a request with '-i'. I think that's a bad style, because default values should be accessable at the commandline also (e.g. to keep portability in scripts). An + if ( device!=0 && (strcmp(device,"all")==0) ) device=0 shortly after the getopt()-while-switch clause in tcpdump.c would introduce the 'all' keyword as synonym for 'all devices'.
reminder: a man page change would also be necessary.
This patch: * adds -i 'any' and 'all'. 'any' looks up an interface using the old algorithm. 'all' tries to use all interfaces (no error message if used in -R where it wouldn't work). * changes default behaviour for -R so that 'any' is assumed (no need to always use -i anymore). * document some stuff in -i and -p, fix a typo. --- -i Listen on interface. Special keywords ``all'' or ``any'' may also be used. ``all'' is effective only in default, packet socket mode. ``any'' means that tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loopback). Ties are broken by choosing the earliest match. The default is ``all'' in packet and ``any'' in raw socket mode. [...] -p Do put the interface into promiscuous mode. Note that legacy mode was to use promiscuous mode by default. tcpdump can only listen to one interface in promiscuous mode. Also note that the interface might be in promiscuous mode for some other reason. ---
Created attachment 6862 [details] fix -i behaviour and documentation plus minor odds and ends
It seems tcpdump.org has semantics where 'any' mean "all". In the hindsight, for the future compatibility it would probably be better make all and any synonyms and use something like 'one' for the algorithm. Oh well.
Changed the behaviour in patches above to 'any' and 'one' as the patch had to be modified anyway for another reason.