 | 1 | initial version |
What you are missing is the fact that Ethernet frames, as on the wire and as such received by the NIC, have a beginning (preamble) and end (CRC + IPG). These boundaries are preserved, when the NIC (barring any optimisation techniques) hands over the received Ethernet frame (sans preamble, optionally with or without CRC) to the NIC driver. It is in this path that packet capture is taking place and the software can encapsulate these Ethernet frames in a file format, e.g. PCAP or PCAPNG.
What you propose to do is to get rid of these boundaries and create a single, uninterrupted, byte stream of all concatenated Ethernet frames. This will give you no option to identify the individual Ethernet frames and inhibit you from doing anything useful with this aggregated data.
