top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Wireshark : What is the "Linux cooked capture" ?

+4 votes
2,921 views

During analyzing the wireshark logs, I found the information named as "Linux cooked capture".
Can someone please elaborate it ?

posted Mar 6, 2016 by Harshita

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

0 votes

On Linux, packet capturing is done by opening a socket. In systems with a 2.2 or later kernel, the socket is a PF_PACKET socket, either of type SOCK_RAW or SOCK_DGRAM.

A SOCK_RAW socket supplies the packet data including what the driver specified, when constructing the socket buffer (skbuff) holding the packet, to be the packet's link-layer header; a SOCK_DGRAM packet supplies only data above what was specified by the driver to be the link-layer header.

For the purposes of libpcap, which is the library used by programs such as tcpdump, Ethereal/Tethereal, snort, etc. to capture network traffic, a SOCK_RAW socket is usually the appropriate type of socket on which to capture, and is what's used.

Unfortunately, the purported link-layer header might be missing (as is the case for some PPP interfaces), or might contain random unpredictable amounts of data (as is the case for at least some interfaces using ISDN), or might not contain enough data to determine the type of the packet (as is the case with at least some ATM interfaces), so capturing with a SOCK_RAW socket doesn't always work well.

For interfaces of those types - and for interfaces of a type that libpcap currently doesn't have code to support - libpcap uses a SOCK_DGRAM socket, and constructs a fake link-layer header from the address supplied by a "recvfrom()" on that socket.

A "Linux cooked capture" is one done with libpcap using a SOCK_DGRAM socket.

answer May 4, 2016 by Manikandan J
Similar Questions
+1 vote

There is a use case in which two machines are located in same network or different network but both are reachable to each other.
Can remotely captured packets in one machine be seen in wireshark running in another machine on real time basis ?

+3 votes

I am doing an basic udp program and receiving the packet ,showing in the wireshark too ...I also want to print the buffer contents came in the packet ...How can i do it

+3 votes

Just for curiosity, I want to see a real network traffic from Chrome Browser when I browse for any pages. I want to see Diameter Messages if I want to take a capture on Wireless Network Connection from Wireshark. If it possible kindly suggest the conditions on which it can be captured?

+2 votes

I installed wireshark on my F20/Gnome notebook, and yum has kept it updated:

# grep wire yum*
Jan 28 12:34:15 Installed: wireshark-1.10.5-1.fc20.x86_64
Feb 21 20:15:51 wireshark-1.10.5-2.fc20.x86_64: 100
Feb 21 22:06:04 Updated: wireshark-1.10.5-2.fc20.x86_64
Feb 27 13:16:45 Updated: wireshark-1.10.5-3.fc20.x86_64
Mar 21 19:09:59 Updated: wireshark-1.10.6-1.fc20.x86_64
Mar 28 18:31:25 Updated: wireshark-1.10.6-2.fc20.x86_64

Wireshark does not show as an application. I don't see a bin for wireshark, only a bunch of libs. What may be missing here?

...