forked from osmocom/wireshark
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
139 lines
4.8 KiB
139 lines
4.8 KiB
This document is an attempt, to bring some light to the things done, when
|
|
packet capturing is performed. There might be things missing, and others
|
|
maybe wrong :-( The following will concentrate a bit on the Windows
|
|
port of Wireshark.
|
|
|
|
|
|
XXX: when ongoing file reorganization will be completed, the following
|
|
two lists maybe won't be needed any longer!
|
|
|
|
libpcap related source files:
|
|
-----------------------------
|
|
capture-pcap-util.c
|
|
capture-pcap-util.h
|
|
capture-pcap-util-int.h
|
|
capture-pcap-util-unix.c
|
|
capture-wpcap.c
|
|
capture-wpcap.h
|
|
|
|
Capture related source files:
|
|
-----------------------------
|
|
capture.c
|
|
capture.h
|
|
capture_loop.c
|
|
capture_loop.h
|
|
capture_opts.c
|
|
capture_sync.c
|
|
capture_ui_utils.c
|
|
capture_ui_utils.h
|
|
|
|
|
|
Capture driver
|
|
--------------
|
|
Wireshark doesn't have direct access to the capture hardware. Instead of this,
|
|
it uses the Libpcap/Winpcap library to capture data from network cards.
|
|
|
|
On Win32, in capture-wpcap.c the function ws_module_open("wpcap.dll") is called
|
|
to load the wpcap.dll. This dll includes all functions needed for
|
|
packet capturing.
|
|
|
|
|
|
|
|
Capture File
|
|
------------
|
|
There are some kinds of targets to put the capture data into:
|
|
|
|
-temporary file
|
|
-user specified "single" capture file
|
|
-user specified "ringbuffer" capture file
|
|
|
|
Which kind of file is used depends on the user settings. In principle there
|
|
is no difference in handling these files, so if not otherwise notified,
|
|
it will be called the capture file.
|
|
|
|
The capture file is stored, using the wiretap library.
|
|
|
|
|
|
Overview
|
|
--------
|
|
Capturing is done using a two task model: the currently running (parent)
|
|
process will spawn a child process to do the real capture work, namely
|
|
controlling libpcap. This two task model is used because it's necessary
|
|
to split the capturing process (which should avoid packet drop) from the parent
|
|
process which might need significant time to display the data.
|
|
|
|
When a capture is started, the parent builds a "command line" and creates a
|
|
new child process with it. A pipe from the child to the parent is created
|
|
which is used to transfer control messages.
|
|
|
|
The child will init libpcap and send the parent a "new capture file is used"
|
|
control message through the pipe.
|
|
|
|
The child cyclically takes the packet data from libpcap and saves it to disk.
|
|
From time to time it will send the parent a "new packets" control message.
|
|
|
|
If the parent process receives this "new packets" message and the option
|
|
"Update list of packets in real time" is used, it will read the packet data
|
|
from the file, dissect and display it.
|
|
|
|
|
|
If the user wants to stop the capture, this can be done in two ways: by
|
|
menu/toolbar of the parent process or the Stop button of the child processes
|
|
dialog box (which obviously cannot be used it this dialog is hidden).
|
|
|
|
The Stop button will stop the capture itself, close the control pipe and then
|
|
closes itself. The parent will detect this and stop its part of the capture.
|
|
|
|
If the menu/toolbar is used, the parent will send a break signal to the child
|
|
which will lead to the same sequence as described above.
|
|
|
|
Win32 only: as the windows implementation of signals simply doesn't work,
|
|
another pipe from the parent to the child is used to send a "close capture"
|
|
message instead of a signal.
|
|
|
|
|
|
Start capture
|
|
-------------
|
|
A capture is started, by specifying to start the capture at the command line,
|
|
trigger the OK button in the "Capture Options" dialog box and some more. The
|
|
capture start is actually done by calling the capture_start() function in
|
|
capture.c.
|
|
|
|
|
|
Capture child (Loop)
|
|
--------------------
|
|
The capture child will open the target capture file, prepare pcap things,
|
|
init stop conditions, init the capture statistic dialog (if not hidden) and
|
|
start a loop which is running until the flag ld.go is FALSE.
|
|
|
|
Inside this loop,
|
|
|
|
-Qt main things are updated
|
|
-pcap_dispatch(capture_pcap_cb) is called
|
|
-the capture stop conditions are checked (ld.go is set to FALSE to finish)
|
|
-update the capture statistic dialog (if not hidden)
|
|
|
|
While this loop is running, the pcap_dispatch() will call capture_pcap_cb()
|
|
for every packet captured. Inside this, the packet data is converted into
|
|
wtap (wiretap) format and saved to file. Beside saving, it is trying to
|
|
do some basic dissecting (for the statistic window), by calling the
|
|
appropriate capture_xxx function.
|
|
|
|
When the user triggered a capture stop or one of the capture stop conditions
|
|
matched, the ld.go flag is set to FALSE, and the loop will stop shortly after.
|
|
|
|
|
|
Capture parent
|
|
--------------
|
|
In the capture parent the cap_pipe_input_cb() function is called "cyclically"
|
|
(unix:waiting for pipe, win32:timer,1000ms) to read data from the pipe and show
|
|
it on the main screen. While the capture is in progress, no other capture file
|
|
can be opened.
|
|
|
|
|
|
Updating
|
|
--------
|
|
The actual packet capturing inside the libpcap is done using its own task.
|
|
Catching and processing the packet data from the libpcap is done using the
|
|
pcap_dispatch() function.
|