On May 10, 2012, at 4:28 AM, Singh, Anand wrote:
> Can you please let me know how does it talk with raw packets.
> Is it using existing TCP stack or is it directly communication with lower
> level drivers like phy/Mac layer.
If you mean "how does it capture raw packets", it uses libpcap on UN*X and
WinPcap on Windows. How libpcap works with network interfaces is dependent on
the OS on which it's running - it doesn't *directly* communicate with the
drivers, it uses mechanisms such as:
BPF on *BSD/OS X/AIX/Solaris 11;
PF_PACKET sockets (or, on pre-2.2 kernels, SOCK_PACKET sockets) on
Linux;
DLPI on older Solaris, HP-UX, and some other OSes;
etc.. WinPcap includes its own driver that runs atop NDIS.
> & Where do I find that code section where we accessing raw buffers.
"Accessing raw buffers" in what sense? The code that does the traffic
capturing is in dumpcap, which is run by Wireshark and TShark to do traffic
capture (as traffic capture may require special privileges, this arranges that
only the relatively-small dumpcap program, which does not and will not ever
dissect packets, requires those privileges, not the much-larger Wireshark and
TShark).
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
