Re: Regarding wireshark design

[Guy Harris <guy () alum mit edu>]

On May 10, 2012, at 4:28 AM, Singh, Anand wrote:

>               Can you please let me know how does it talk with raw packets. Is it using existing TCP stack or is it 
> directly communication with lower level drivers like phy/Mac layer.

If you mean "how does it capture raw packets", it uses libpcap on UN*X and WinPcap on Windows.  How libpcap works with 
network interfaces is dependent on the OS on which it's running - it doesn't *directly* communicate with the drivers, 
it uses mechanisms such as:

        BPF on *BSD/OS X/AIX/Solaris 11;

        PF_PACKET sockets (or, on pre-2.2 kernels, SOCK_PACKET sockets) on Linux;

        DLPI on older Solaris, HP-UX, and some other OSes;

etc..  WinPcap includes its own driver that runs atop NDIS.

> & Where do I find that code section where we accessing raw buffers.

"Accessing raw buffers" in what sense?  The code that does the traffic capturing is in dumpcap, which is run by 
Wireshark and TShark to do traffic capture (as traffic capture may require special privileges, this arranges that only 
the relatively-small dumpcap program, which does not and will not ever dissect packets, requires those privileges, not 
the much-larger Wireshark and TShark).
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe