Reputation: 97
where does the wireshark capture the packets
where does the wireshark capture the packets in the linux kernel? If an output packet is captured by wireshark , will the packet be sent out definitely through corresponding interface? In other words, could an output packet that captured by wireshark be dropped before it is sent out?
Upvotes: 2
Views: 1159
Answers (1)
Reputation:
where does the wireshark capture the packets in the linux kernel?
On UN*Xes, it uses libpcap, which, on Linux, uses AF_PACKET sockets. (On Windows, it uses WinPcap, which is a driver plus a port of libpcap to use the driver.)
If an output packet is captured by wireshark , will the packet be sent out definitely through corresponding interface?
No. The networking stack hands the packet to the appropriate AF_PACKET sockets and to the driver; the driver might drop the packet (for example, if, on an Ethernet, it got multiple collisions and gave up) even though the packet was delivered to the AF_PACKET socket.
In other words, could an output packet that captured by wireshark be dropped before it is sent out?
Yes. See above.
Upvotes: 3
Related Questions
- How to capture packets off other machine?
- How can Wireshark view all network traffic?
- How can I sniff packet with Wireshark
- There are no interfaces on which a capture can be done.[wireshark]
- Capturing data packets in closed LAN
- In tools like tcpdump, when exactly are the network packets captured?
- what does this wireshark info refer to
- Using Wireshark in Computer Networks
- Capturing incoming tcp/ip packets
- Sniffing packets using tshark