wireshark 在哪里捕获数据包 [英] where does the wireshark capture the packets

问题描述

wireshark 在 linux 内核中在哪里捕获数据包?如果wireshark抓到一个输出包，这个包一定会通过相应的接口发出吗?换言之，wireshark 捕获的输出数据包是否可以在发送之前丢弃?

where does the wireshark capture the packets in the linux kernel? If an output packet is captured by wireshark , will the packet be sent out definitely through corresponding interface? In other words, could an output packet that captured by wireshark be dropped before it is sent out?

推荐答案

wireshark 在 linux 内核中在哪里捕获数据包?

where does the wireshark capture the packets in the linux kernel?

在 UN*Xes 上，它使用 libpcap，在 Linux 上，它使用 AF_PACKET 套接字.(在 Windows 上，它使用 WinPcap，它是一个驱动程序加上一个 libpcap 端口来使用该驱动程序.)

On UN*Xes, it uses libpcap, which, on Linux, uses AF_PACKET sockets. (On Windows, it uses WinPcap, which is a driver plus a port of libpcap to use the driver.)

如果一个输出包被wireshark抓到了，这个包一定会通过相应的接口发送出去吗?

If an output packet is captured by wireshark , will the packet be sent out definitely through corresponding interface?

没有.网络堆栈将数据包交给适当的 AF_PACKET 套接字和驱动程序；即使数据包已传送到 AF_PACKET 套接字，驱动程序也可能会丢弃数据包(例如，如果在以太网上发生多次冲突并放弃).

No. The networking stack hands the packet to the appropriate AF_PACKET sockets and to the driver; the driver might drop the packet (for example, if, on an Ethernet, it got multiple collisions and gave up) even though the packet was delivered to the AF_PACKET socket.

换句话说，wireshark 捕获的输出数据包是否可以在发送之前丢弃?

In other words, could an output packet that captured by wireshark be dropped before it is sent out?

是的.见上文.

这篇关于wireshark 在哪里捕获数据包的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！