as you know windows has stopped supporting raw_sockets therefore there is no real solution to use raw_sockets to build a network sniffer. so my question is how exactly Winpcap and similar libraries provide network sniffing on windows? does it depend on the version of the windows? does it use some other techniques to achieve packet sniffing? is there any other solution except raw_sockets to perform packet sniffing? some softwares such as wireshark uses winpcap to sniff network packets. raw sockets windows
Asked
Active
Viewed 1,941 times
1 Answers
3
It uses NPF, which is implemented as a protocol driver. Refer to the following for a more in-depth explanation.
Smith
- 361
- 1
- 10
-
And Network Monitor, on Windows Vista and later, uses [a lightweight filter driver](http://social.technet.microsoft.com/Forums/en/netmon/thread/43439a52-fe3e-48d6-b272-1e4aa6b47c7f). The key here is "driver" - both WinPcap and Network Monitor, as well as other sniffers, insert their own kernel-mode code into the system, they don't just use the user-mode APIs provided by Windows. – Oct 12 '12 at 22:54