6.3. Capturing packets

Capturing takes packets from a network adapter and saves them to a file on your hard disk.

Since raw network adapter access requires elevated privileges these functions are isolated into the dumpcap program. It’s only this program that needs these privileges, allowing the main part of the code (dissectors, user interface, etc) to run with normal user privileges.

To hide all the low-level machine dependent details from Wireshark, the libpcap and Npcap (see Section 5.9, “libpcap or Npcap (Optional, But Strongly Recommended)”) libraries are used. These libraries provide a general purpose interface to capture packets and are used by a wide variety of applications.