This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, Can you please let me know at which layer snoop captures packets? Is it after physical layer or?

Thanks, Siva

asked 21 Sep '12, 09:58

vnkt4u's gravatar image

vnkt4u
1111
accept rate: 0%


Is that "snoop" as in "the Solaris (and IRIX?) packet analyzer named "snoop"" or "snoop" as in "packet analyzers in general, including Wireshark"?

In either case, if you use the OSI model, the capturing is usually done at the data link layer, above the physical layer, at least for LAN traffic. For WANs it might be above some part of the data link layer; for example, ATM traffic might not capture each ATM cell individually, but might get an entire AAL5 PDU as a single reassembled frame, and PPP over a T-carrier or E-carrier link might show PPP frames without the underlying "HDLC-like framing".

permanent link

answered 21 Sep '12, 11:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×12

question asked: 21 Sep '12, 09:58

question was seen: 3,963 times

last updated: 21 Sep '12, 11:49

p​o​w​e​r​e​d by O​S​Q​A