On Jan 5, 2011, at 7:59 AM, Rajagopal Aravindan wrote: > I have always wondered as to at which level packet capture works. > Is it this way ... > > 1. For packets that are sent out, a copy of every packet, given to the > device driver by the protocol layer, would be captured by the pcap library. > 2. For packets that are received, a copy of every packet, given by the > protocl layer to the above layers, would be captured by the pcap library.
It depends on the OS. You'd have to look at the OS kernel source for the particular capture mechanism libpcap is using to see whether the capture mechanism is handed the packet by the driver or by some part of the protocol layer. - This is the tcpdump-workers list. Visit https://cod.sandelman.ca/ to unsubscribe.
