This is a static archive of our old Q&A Site. Please post any new questions and answers at

Wireshark capture “Live packet” from Ethernet card?


From the info, Wireshark capture "Live packet" from ethernet.

Can i know where these "live packet" is capture?

  1. Network Cable -> Ethernet card -> Wireshark
  2. Network Cable -> Ethernet card -> OS -> TCP Stack -> Wireshark

I am not familiar with network. Thanks in advance !!!!

asked 29 Sep '10, 20:02

stan's gravatar image

accept rate: 0%

One Answer:


I think "Live packet capture" in this case means that the network data is captured live from the network, as opposed to opening an existing, prerecorded (dead? :-)) trace file. That statement is probably there to tell you that Wireshark is not just an offline packet analysis tool, but that it can capture, too. Well, dumpcap does all the capturing work, but Wireshark is the "commanding officer" :-)

I can't describe the flow of capture downto the finest details, but I'd say it's like this: Network Cable -> Ethernet Card -> OS -> libPCAP/WinPCAP -> dumpcap.exe -> tempfile -> Wireshark

answered 30 Sep '10, 01:48

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

That's pretty much it (although there's no ".exe" on UN*X, it's just "dumpcap"). What's in the "OS" part differs from OS to OS; it starts with the driver for the Ethernet adapter, and then goes to whatever mechanism the OS provides for libpcap to use on UNIX, or goes to NDIS and then the WinPcap kernel driver on Windows.

(06 Oct '10, 14:29) Guy Harris ♦♦