2018-02-05 16:59:45 +00:00
|
|
|
|
// WSDG Chapter Works
|
2015-11-01 21:07:42 +00:00
|
|
|
|
|
2014-02-02 19:00:30 +00:00
|
|
|
|
[[ChapterWorks]]
|
|
|
|
|
|
|
|
|
|
== How Wireshark Works
|
|
|
|
|
|
|
|
|
|
[[ChWorksIntro]]
|
|
|
|
|
|
|
|
|
|
=== Introduction
|
|
|
|
|
|
|
|
|
|
This chapter will give you a short overview of how Wireshark works.
|
|
|
|
|
|
|
|
|
|
[[ChWorksOverview]]
|
|
|
|
|
|
|
|
|
|
=== Overview
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
The following will give you a simplified overview of Wireshark’s function blocks:
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
[[ChWorksFigOverview]]
|
|
|
|
|
|
|
|
|
|
.Wireshark function blocks
|
2016-09-23 22:17:28 +00:00
|
|
|
|
image::wsdg_graphics/ws-function-blocks.png[{pdf-scaledwidth}]
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
The function blocks in more detail:
|
2016-05-31 22:40:05 +00:00
|
|
|
|
|
|
|
|
|
GUI:: Handling of all user input/output (all windows, dialogs and such).
|
2018-04-09 04:11:26 +00:00
|
|
|
|
Source code can be found in the _ui/qt_ directory.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
Core:: Main "glue code" that holds the other blocks together. Source
|
2014-02-02 19:00:30 +00:00
|
|
|
|
code can be found in the root directory.
|
|
|
|
|
|
2018-04-16 21:49:55 +00:00
|
|
|
|
Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
|
2018-02-04 19:39:56 +00:00
|
|
|
|
Source code can be found in the _epan_ directory. Epan provides
|
2014-02-02 19:00:30 +00:00
|
|
|
|
the following APIs:
|
|
|
|
|
|
|
|
|
|
* Protocol Tree. Dissection information for an individual packet.
|
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
* Dissectors. The various protocol dissectors in
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_epan/dissectors_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
* Dissector Plugins - Support for implementing dissectors as separate modules.
|
2018-02-04 19:39:56 +00:00
|
|
|
|
Source code can be found in _plugins_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
* Display Filters - The display filter engine at
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_epan/dfilter_.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2014-08-11 06:02:30 +00:00
|
|
|
|
Wiretap:: The wiretap library is used to read and write capture files in libpcap,
|
2014-02-02 19:00:30 +00:00
|
|
|
|
pcapng, and many other file formats. Source code is in the
|
2018-02-04 19:39:56 +00:00
|
|
|
|
_wiretap_ directory.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2020-04-06 02:35:14 +00:00
|
|
|
|
Capture:: The interface to the capture engine. Source code is in the
|
2014-02-02 19:00:30 +00:00
|
|
|
|
root directory.
|
|
|
|
|
|
2020-04-06 02:35:14 +00:00
|
|
|
|
Dumpcap:: The capture engine itself. This is the only part that executes with
|
|
|
|
|
elevated privileges. Source code is in the root directory.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2020-04-06 02:35:14 +00:00
|
|
|
|
Npcap and libpcap:: These are external libraries that provide packet capture
|
2019-01-03 20:01:19 +00:00
|
|
|
|
and filtering support on different platforms. The filtering in Npcap and libpcap
|
2018-02-04 23:15:02 +00:00
|
|
|
|
works at a much lower level than Wireshark’s display filters and uses a
|
2020-04-06 02:35:14 +00:00
|
|
|
|
significantly different mechanism. That’s why there are different display and
|
2014-02-02 19:00:30 +00:00
|
|
|
|
capture filter syntaxes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[[ChWorksCapturePackets]]
|
|
|
|
|
|
|
|
|
|
=== Capturing packets
|
|
|
|
|
|
2015-11-01 21:07:42 +00:00
|
|
|
|
Capturing takes packets from a network adapter and saves them to a file
|
|
|
|
|
on your hard disk.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2020-04-06 02:35:14 +00:00
|
|
|
|
Since raw network adapter access requires elevated privileges, these functions
|
|
|
|
|
are isolated to the `dumpcap` program. Placing the capture functionality
|
|
|
|
|
into `dumpcap` allows the rest of the code (dissectors, user interface,
|
|
|
|
|
etc.) to run with normal user privileges.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
To hide all the low-level machine dependent details from Wireshark, the libpcap
|
2019-01-03 20:01:19 +00:00
|
|
|
|
and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
|
2014-02-02 19:00:30 +00:00
|
|
|
|
general purpose interface to capture packets and are used by a wide variety of
|
|
|
|
|
applications.
|
|
|
|
|
|
|
|
|
|
[[ChWorksCaptureFiles]]
|
|
|
|
|
|
|
|
|
|
=== Capture Files
|
|
|
|
|
|
|
|
|
|
Wireshark can read and write capture files in its natural file formats, pcapng
|
|
|
|
|
and pcap, which are used by many other network capturing tools, such as tcpdump.
|
2020-04-06 02:35:14 +00:00
|
|
|
|
Additionally, Wireshark supports reading and writing packet capture files
|
|
|
|
|
in formats used by other network capture tools. This support is implemented in
|
|
|
|
|
Wireshark's wiretap library, which provides a general purpose interface for
|
|
|
|
|
reading and writing packet capture formats and supports more than twenty
|
|
|
|
|
packet capture formats.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
|
|
|
|
[[ChWorksDissectPackets]]
|
|
|
|
|
|
|
|
|
|
=== Dissect packets
|
|
|
|
|
|
2020-04-06 02:35:14 +00:00
|
|
|
|
Wireshark dissects packets in what it calls 'two-pass' dissection.
|
|
|
|
|
|
|
|
|
|
Wireshark performs a first pass of dissecting all packets as they are loaded
|
|
|
|
|
from the file. All packets are dissected sequentially and this information
|
|
|
|
|
is used to populate Wireshark's packet list pane and to build state and
|
|
|
|
|
other information needed when displaying the packet.
|
|
|
|
|
|
|
|
|
|
Wireshark later performs 'second pass' ad-hoc dissections on the
|
|
|
|
|
packets that it needs data from. This enables Wireshark to fill in fields that
|
|
|
|
|
require future knowledge, like the 'response in frame #' fields,
|
|
|
|
|
and correctly calculate reassembly frame dependencies.
|
|
|
|
|
|
|
|
|
|
For example, Wireshark will perform an ad-hoc dissection when a user selects
|
|
|
|
|
a packet (to display the packet details),
|
|
|
|
|
calculates a statistic (so all values are computed),
|
|
|
|
|
or performs another action that requires packet data.
|
|
|
|
|
However, because Wireshark may only dissect
|
|
|
|
|
the packets that are needed, there is no guarantee that
|
|
|
|
|
Wireshark will dissect all packets again, nor is there any guarantee as to the
|
|
|
|
|
order that the packets will be dissected after the first pass.
|
2014-02-02 19:00:30 +00:00
|
|
|
|
|
2018-02-05 16:59:45 +00:00
|
|
|
|
// End of WSDG Chapter Works
|
2015-11-01 21:07:42 +00:00
|
|
|
|
|