On Sep 16, 2003, at 11:51 AM, Matt Langley wrote:
I am developing an application that relies on the IP stack for its
implementation. I’ve been using ethereal to help debug the
application. I’ve found that the data gets to the ethereal program,
but not all the data gets to the application. Does anyone know where
on the IP Stack the ethereal application gets its data from?
Nowhere.
When doing a capture, Ethereal gets its data from libpcap, which gets
it from whatever packet capture mechanism is in the OS. Those
mechanisms either
1) directly connect to the driver for the network interface (for
example, BPF on the BSDs and AIX);
2) connect to the networking stack at a layer *below* the IP layer
(for example, DLPI on Solaris, HP-UX, and some other systems, PF_PACKET
sockets on Linux, snoop sockets on Irix, NDIS with the WinPcap driver
on Windows).
The IP stack isn't involved, although, if 2) is the case, the IP stack
connects to the lower layers of the networking stack in a similar
fashion to which the stuff libpcap uses does.