On May 6, 2014, at 12:47 PM, my007ms <my007ms@xxxxxxxxx> wrote:
>
> So wireshark use normal libpcap.so not libwiretap.so in capture packets ?
(Not on my machine - it's called libpcap.dylib on my machine. It might be called libpcap.dll on other machines. :-))
Correct. Early in Ethereal development, we thought libwiretap would be used to do live capture in addition to reading capture files, but that never became necessary.
> if you please guide me which file in source code i should read to find more about this part of wireshark
If by "this part" you mean packet capture, read dumpcap.c. (Wireshark and TShark run dumpcap to do the packet capture; packet capture might require elevated privileges, and, well, as doc/README.packaging says:
WIRESHARK CONTAINS OVER TWO MILLION LINES OF SOURCE CODE. DO NOT RUN THEM AS ROOT.
so we limit the elevated-privileges part to dumpcap, which is simpler and does not contain and *NEVER* will contain packet-dissection code.)