Wireshark-users: [Wireshark-users] How does Wireshark interact with Fedora Core?
From: "Michael Cobb" <[email protected]>
Date: Thu, 14 Sep 2006 08:09:50 -0400

Thanks for a response.

 

It is UDP Multicast.

 

-----Original Message-----

On Behalf Of Guy Harris

Sent: Wednesday, September 13, 2006 2:26 PM

To: Ethereal user support; Community support list for Wireshark

Subject: Re: [Ethereal-users] How does Ethereal interact with Fedora Core?

-------------------

 

Michael Cobb wrote:

> Can anyone explain to me how Wireshark relates to Fedora?

 

The same way Wireshark relates to it (see the above note).  This discussion should probably be continued on the wireshark-users mailing list; I'm sending this to that list as well.

 

> At what OS

> level is displaying a capture from? I’m not a developer, but need to

> be certain that packets displayed by Ethereal are indeed being

> presented from the OS to an application that is running.

 

Wireshark (and Ethereal) capture traffic using the libpcap library; on Linux, that works by opening a "PF_PACKET socket", from which it receives the packets.

 

Packets delivered to a PF_PACKET socket aren't necessarily delivered to some other socket; they might be delivered to a networking protocol such as TCP or UDP, but that won't necessarily deliver them to a socket.

 

> I am currently sniffing and seeing the packets in Wireshark. However

> the developer of the application has inserted debugging code to

> display when it receives those packets, but it does not acknowledge

> receiving them. I need to determine if this means the problem is OS

> related or application related.

 

It's *probably* application-related.  Are the packets TCP, UDP, or some other protocol?  Does the application have a socket open to receive those packets?