Wireshark-dev: Re: [Wireshark-dev] Regarding wireshark design

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 10 May 2012 09:19:43 -0700
On May 10, 2012, at 4:28 AM, Singh, Anand wrote:

>              	Can you please let me know how does it talk with raw packets. Is it using existing TCP stack or is it directly communication with lower level drivers like phy/Mac layer.

If you mean "how does it capture raw packets", it uses libpcap on UN*X and WinPcap on Windows.  How libpcap works with network interfaces is dependent on the OS on which it's running - it doesn't *directly* communicate with the drivers, it uses mechanisms such as:

	BPF on *BSD/OS X/AIX/Solaris 11;

	PF_PACKET sockets (or, on pre-2.2 kernels, SOCK_PACKET sockets) on Linux;

	DLPI on older Solaris, HP-UX, and some other OSes;

etc..  WinPcap includes its own driver that runs atop NDIS.

> & Where do I find that code section where we accessing raw buffers.

"Accessing raw buffers" in what sense?  The code that does the traffic capturing is in dumpcap, which is run by Wireshark and TShark to do traffic capture (as traffic capture may require special privileges, this arranges that only the relatively-small dumpcap program, which does not and will not ever dissect packets, requires those privileges, not the much-larger Wireshark and TShark).