2006-06-06 23:08:58 +00:00
|
|
|
<!-- WSDG Chapter Works -->
|
2005-08-02 06:39:04 +00:00
|
|
|
<!-- $Id$ -->
|
|
|
|
|
|
|
|
<chapter id="ChapterWorks">
|
2006-06-06 23:08:58 +00:00
|
|
|
<title>How Wireshark Works</title>
|
2005-08-02 06:39:04 +00:00
|
|
|
|
|
|
|
<section id="ChWorksIntro">
|
|
|
|
<title>Introduction</title>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
This chapter will give you a short overview, how Wireshark is working.
|
2005-08-02 06:39:04 +00:00
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChWorksOverview">
|
|
|
|
<title>Overview</title>
|
|
|
|
<para>
|
2006-06-06 23:08:58 +00:00
|
|
|
The following will give you a simplified overview of Wiresharks function blocks:
|
2005-08-02 06:39:04 +00:00
|
|
|
<figure id="ChWorksFigOverview">
|
|
|
|
<title>
|
2006-06-06 23:08:58 +00:00
|
|
|
<application>Wireshark</application> function blocks.
|
2005-08-02 06:39:04 +00:00
|
|
|
</title>
|
2006-06-06 23:08:58 +00:00
|
|
|
<graphic entityref="WiresharkFunctionBlocks" format="PNG"/>
|
2005-08-02 06:39:04 +00:00
|
|
|
</figure>
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
The function blocks in more detail:
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry><term><command>GTK 1/2</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Handling of all user input/output (all windows, dialogs and such).
|
|
|
|
Source code can be found in the <filename>gtk</filename> directory.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Core</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Main "glue code" that holds the other blocks together, source
|
|
|
|
code can be found in the root directory.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Epan</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
2006-06-06 23:08:58 +00:00
|
|
|
Ethereal Packet ANalyzer (XXX - is this correct?) the packet
|
2005-08-02 06:39:04 +00:00
|
|
|
analyzing engine, source code can be found in the
|
|
|
|
<filename>epan</filename> directory.
|
|
|
|
</para>
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Protocol-Tree - Keep data of the capture file protocol information.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Dissectors - The various protocol dissectors in
|
|
|
|
<filename>epan/dissectors</filename>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Plugins - Some of the protocol dissectors are implemented as plugins, source
|
|
|
|
code at <filename>plugins</filename>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Display-Filters - the display filter engine at
|
|
|
|
<filename>epan/dfilter</filename>.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Capture</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
Capture engine.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry><term><command>Wiretap</command></term>
|
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The wiretap library is used to read/write capture files in libpcap
|
|
|
|
and a lot of other file formats, the source code is in the
|
|
|
|
<filename>wiretap</filename> directory.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
2006-05-22 08:21:22 +00:00
|
|
|
<term><command>Win-/libpcap (not part of the Wireshark package)</command></term>
|
2005-08-02 06:39:04 +00:00
|
|
|
<listitem>
|
|
|
|
<para>
|
|
|
|
The platform dependant packet capture library, including the capture
|
|
|
|
filter engine. That's the reason why we still have different display
|
|
|
|
and capture filter syntax, as two different filtering engines used.
|
|
|
|
</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChWorksCapturePackets">
|
|
|
|
<title>Capturing packets</title>
|
|
|
|
<para>
|
|
|
|
Capturing will take packets from a network adapter, and save them to a file
|
|
|
|
on your harddisk.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
To hide all the lowlevel machine dependant details from
|
2006-06-06 23:08:58 +00:00
|
|
|
Wireshark, the libpcap/WinPcap (see <xref linkend="ChLibsPcap"/>) library
|
2005-08-02 06:39:04 +00:00
|
|
|
is used. This library provides a general purpose interface to capture
|
|
|
|
packets from a lot of different network interface types (Ethernet,
|
|
|
|
Token Ring, ...).
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChWorksCaptureFiles">
|
|
|
|
<title>Capture Files</title>
|
|
|
|
<para>
|
2006-06-06 23:08:58 +00:00
|
|
|
Wireshark can read and write capture files in it's natural file format, the
|
2005-08-02 06:39:04 +00:00
|
|
|
libpcap format, which is used by many other network capturing tools,
|
|
|
|
e.g. tcpdump. In addition to this, as one of it's strengths,
|
2006-06-06 23:08:58 +00:00
|
|
|
Wireshark can read/write files in many different file formats of other
|
2005-08-02 06:39:04 +00:00
|
|
|
network capturing tools. The wiretap library, developed together with
|
2006-06-06 23:08:58 +00:00
|
|
|
Wireshark, provides a general purpose interface to read/write all the file
|
2005-08-02 06:39:04 +00:00
|
|
|
formats. If you need to add another capture file format, this is the place
|
|
|
|
to start.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
<section id="ChWorksDissectPackets">
|
|
|
|
<title>Dissect packets</title>
|
|
|
|
<para>
|
2006-05-22 08:14:01 +00:00
|
|
|
While Wireshark is loading packets from a file, each packet is dissected.
|
2006-06-06 23:08:58 +00:00
|
|
|
Wireshark tries to detect what kind of packet it is and getting as much
|
2005-08-02 06:39:04 +00:00
|
|
|
information from it as possible. In this run, only the information showed
|
|
|
|
in the packet list pane is needed though.
|
|
|
|
</para>
|
|
|
|
<para>
|
|
|
|
As the user selects a specific packet in the packet list pane, this packet
|
2006-06-06 23:08:58 +00:00
|
|
|
will be dissected again. This time, Wireshark tries to
|
2005-08-02 06:39:04 +00:00
|
|
|
get every single piece of information and put it into
|
|
|
|
the packet details pane then.
|
|
|
|
</para>
|
|
|
|
</section>
|
|
|
|
|
|
|
|
</chapter>
|
2006-06-06 23:08:58 +00:00
|
|
|
<!-- End of WSDG Chapter Works -->
|