Is packet sniffer software implemented as kernel bypass. if so, how (APIs) is it done on linux and windows?
or does packet sniffer actually depend on the kernel to talk to the NIC and put it into promiscuous mode. If so, again what are the APIs lin linux and windows
does packet sniffer actually depend on the kernel to talk to the NIC and put it into promiscuous mode
At least for the free-software packet sniffers, yes, it does. (Some commercial sniffers on Windows might supply their own drivers, at least for Wi-Fi adapters, and bypass the networking stack for those adapters.)
If so, again what are the APIs lin linux and windows
Linux: PF_PACKET sockets.
Windows: there aren't any nice APIs, so, for example, WinPcap has to provide its own kernel-mode driver which uses the NDIS kernel interface.
Or you could just use libpcap on UN*X (Linux, *BSD, OS X, AIX, Solaris, HP-UX, etc.) and WinPcap on Windows, and let it use the appropriate capture mechanism and its programming interfaces on the OS you're using (take a look at pcap-linux.c in the libpcap source - it's a bit complicated to use some of the Linux APIs, for example).