In fact, Wireshark creates a dumpcap process and passes it the parameters for the capture. with Process Explorer on Windows, you can see what happens if you start a capture: Instead, it calls dumpcap.exe whenever you start a capture, and reads the file written by dumpcap. If we look at Wireshark as a tool package it is able to capture packets, but if you look at the Wireshark executable, it isn’t. A lot of readers will now think “wait a minute, I know for sure that I have captured tons of packets with Wireshark!”, and I have to admit that it’s not that far from the truth. One of the concepts of capturing with Wireshark is that Wireshark does not capture packets. One of the common questions is “how can I avoid writing packets to disk, and just capture them in memory?”.
Sometimes it is important to know how Wireshark captures packets, and when it is writing them to disk.
0 kommentar(er)
