2018-02-05 16:59:45 +00:00
|
|
|
|
// WSDG Chapter Works
|
2015-11-01 21:07:42 +00:00
|
|
|
|
|
2014-02-02 19:00:30 +00:00
|
|
|
|
[[ChapterWorks]]
|
|
|
|
|
|
|
|
|
|
== How Wireshark Works
|
|
|
|
|
|
|
|
|
|
[[ChWorksIntro]]
|
|
|
|
|
|
|
|
|
|
=== Introduction
|
|
|
|
|
|
|
|
|
|
This chapter will give you a short overview of how Wireshark works.
|
|
|
|
|
|
|
|
|
|
[[ChWorksOverview]]
|
|
|
|
|
|
|
|
|
|
=== Overview
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
The following will give you a simplified overview of Wireshark’s function blocks:
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
[[ChWorksFigOverview]]
|
|
|
|
|
|
|
|
|
|
.Wireshark function blocks
|
2016-09-23 22:17:28 +00:00
|
|
|
|
image::wsdg_graphics/ws-function-blocks.png[{pdf-scaledwidth}]
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
The function blocks in more detail:
|
2016-05-31 22:40:05 +00:00
|
|
|
|
|
|
|
|
|
GUI:: Handling of all user input/output (all windows, dialogs and such).
|
2018-04-09 04:11:26 +00:00
|
|
|
|
Source code can be found in the _ui/qt_ directory.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
Core:: Main "glue code" that holds the other blocks together. Source
|
2014-02-02 19:00:30 +00:00
|
|
|
|
code can be found in the root directory.
|
|
|
|
|
|
2018-04-16 21:49:55 +00:00
|
|
|
|
Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
|
2018-02-04 19:39:56 +00:00
|
|
|
|
Source code can be found in the _epan_ directory. Epan provides
|
2014-02-02 19:00:30 +00:00
|
|
|
|
the following APIs:
|
|
|
|
|
|
|
|
|
|
* Protocol Tree. Dissection information for an individual packet.
|
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
* Dissectors. The various protocol dissectors in
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_epan/dissectors_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
* Dissector Plugins - Support for implementing dissectors as separate modules.
|
2018-02-04 19:39:56 +00:00
|
|
|
|
Source code can be found in _plugins_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
* Display Filters - The display filter engine at
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_epan/dfilter_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2014-08-11 06:02:30 +00:00
|
|
|
|
Wiretap:: The wiretap library is used to read and write capture files in libpcap,
|
2014-02-02 19:00:30 +00:00
|
|
|
|
pcapng, and many other file formats. Source code is in the
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_wiretap_ directory.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2014-08-11 06:02:30 +00:00
|
|
|
|
Capture:: The interface with the capture engine. Source code is in the
|
2014-02-02 19:00:30 +00:00
|
|
|
|
root directory.
|
|
|
|
|
|
|
|
|
|
Dumpcap:: The capture engine itself. This is the only part that is to execute
|
2014-08-11 06:02:30 +00:00
|
|
|
|
with elevated privileges. Source code is in the root directory.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2019-01-03 20:01:19 +00:00
|
|
|
|
Npcap and libpcap:: These are separate libraries that provide packet capture
|
|
|
|
|
and filtering support on different platforms. The filtering in Npcap and libpcap
|
2018-02-04 23:15:02 +00:00
|
|
|
|
works at a much lower level than Wireshark’s display filters and uses a
|
|
|
|
|
significantly different mechanism. That’s why we have different display and
|
2014-02-02 19:00:30 +00:00
|
|
|
|
capture filter syntaxes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[ChWorksCapturePackets]]
|
|
|
|
|
|
|
|
|
|
=== Capturing packets
|
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
Capturing takes packets from a network adapter and saves them to a file
|
|
|
|
|
on your hard disk.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
Since raw network adapter access requires elevated privileges these functions
|
2018-02-04 23:15:02 +00:00
|
|
|
|
are isolated into the `dumpcap` program. It’s only this program that needs these
|
2014-02-02 19:00:30 +00:00
|
|
|
|
privileges, allowing the main part of the code (dissectors, user interface,
|
|
|
|
|
etc) to run with normal user privileges.
|
|
|
|
|
|
|
|
|
|
To hide all the low-level machine dependent details from Wireshark, the libpcap
|
2019-01-03 20:01:19 +00:00
|
|
|
|
and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
|
2014-02-02 19:00:30 +00:00
|
|
|
|
general purpose interface to capture packets and are used by a wide variety of
|
|
|
|
|
applications.
|
|
|
|
|
|
|
|
|
|
[[ChWorksCaptureFiles]]
|
|
|
|
|
|
|
|
|
|
=== Capture Files
|
|
|
|
|
|
|
|
|
|
Wireshark can read and write capture files in its natural file formats, pcapng
|
|
|
|
|
and pcap, which are used by many other network capturing tools, such as tcpdump.
|
|
|
|
|
In addition to this, as one of its strengths, Wireshark can read and write files
|
|
|
|
|
in many different file formats of other network capturing tools. The wiretap
|
|
|
|
|
library, developed together with Wireshark, provides a general purpose interface
|
|
|
|
|
to read and write all the file formats. If you need to add support for another
|
2015-11-01 21:07:42 +00:00
|
|
|
|
capture file format this is the place to start.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
[[ChWorksDissectPackets]]
|
|
|
|
|
|
|
|
|
|
=== Dissect packets
|
|
|
|
|
|
|
|
|
|
While Wireshark is loading packets from a file each packet is dissected.
|
|
|
|
|
Wireshark tries to detect the packet type and gets as much information from the
|
|
|
|
|
packet as possible. In this run though, only the information shown in the packet
|
2015-11-01 21:07:42 +00:00
|
|
|
|
list pane is needed.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
As the user selects a specific packet in the packet list pane this packet will
|
|
|
|
|
be dissected again. This time, Wireshark tries to get every single piece of
|
|
|
|
|
information and put it into the packet details pane.
|
|
|
|
|
|
2018-02-05 16:59:45 +00:00
|
|
|
|
// End of WSDG Chapter Works
|
2015-11-01 21:07:42 +00:00
|
|
|
|
|