问题
where does the wireshark capture the packets in the linux kernel? If an output packet is captured by wireshark , will the packet be sent out definitely through corresponding interface? In other words, could an output packet that captured by wireshark be dropped before it is sent out?
回答1:
where does the wireshark capture the packets in the linux kernel?
On UN*Xes, it uses libpcap, which, on Linux, uses AF_PACKET sockets. (On Windows, it uses WinPcap, which is a driver plus a port of libpcap to use the driver.)
If an output packet is captured by wireshark , will the packet be sent out definitely through corresponding interface?
No. The networking stack hands the packet to the appropriate AF_PACKET sockets and to the driver; the driver might drop the packet (for example, if, on an Ethernet, it got multiple collisions and gave up) even though the packet was delivered to the AF_PACKET socket.
In other words, could an output packet that captured by wireshark be dropped before it is sent out?
Yes. See above.
来源:https://stackoverflow.com/questions/29620590/where-does-the-wireshark-capture-the-packets