This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Which layer packets are captured?

0

Hello, Can you please let me know at which layer snoop captures packets? Is it after physical layer or?

Thanks, Siva

asked 21 Sep '12, 09:58

vnkt4u's gravatar image

vnkt4u
1111
accept rate: 0%


One Answer:

2

Is that "snoop" as in "the Solaris (and IRIX?) packet analyzer named "snoop"" or "snoop" as in "packet analyzers in general, including Wireshark"?

In either case, if you use the OSI model, the capturing is usually done at the data link layer, above the physical layer, at least for LAN traffic. For WANs it might be above some part of the data link layer; for example, ATM traffic might not capture each ATM cell individually, but might get an entire AAL5 PDU as a single reassembled frame, and PPP over a T-carrier or E-carrier link might show PPP frames without the underlying "HDLC-like framing".

answered 21 Sep '12, 11:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%