You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

139 lines
4.8 KiB

This document is an attempt, to bring some light to the things done, when
packet capturing is performed. There might be things missing, and others
maybe wrong :-( The following will concentrate a bit on the Windows
port of Wireshark.
XXX: when ongoing file reorganization will be completed, the following
two lists maybe won't be needed any longer!
libpcap related source files:
Capture related source files:
Capture driver
Wireshark doesn't have direct access to the capture hardware. Instead of this,
it uses the Libpcap/Winpcap library to capture data from network cards.
On Win32, in capture-wpcap.c the function ws_module_open("wpcap.dll") is called
to load the wpcap.dll. This dll includes all functions needed for
packet capturing.
Capture File
There are some kinds of targets to put the capture data into:
-temporary file
-user specified "single" capture file
-user specified "ringbuffer" capture file
Which kind of file is used depends on the user settings. In principle there
is no difference in handling these files, so if not otherwise notified,
it will be called the capture file.
The capture file is stored, using the wiretap library.
Capturing is done using a two task model: the currently running (parent)
process will spawn a child process to do the real capture work, namely
controlling libpcap. This two task model is used because it's necessary
to split the capturing process (which should avoid packet drop) from the parent
process which might need significant time to display the data.
When a capture is started, the parent builds a "command line" and creates a
new child process with it. A pipe from the child to the parent is created
which is used to transfer control messages.
The child will init libpcap and send the parent a "new capture file is used"
control message through the pipe.
The child cyclically takes the packet data from libpcap and saves it to disk.
From time to time it will send the parent a "new packets" control message.
If the parent process receives this "new packets" message and the option
"Update list of packets in real time" is used, it will read the packet data
from the file, dissect and display it.
If the user wants to stop the capture, this can be done in two ways: by
menu/toolbar of the parent process or the Stop button of the child processes
dialog box (which obviously cannot be used it this dialog is hidden).
The Stop button will stop the capture itself, close the control pipe and then
closes itself. The parent will detect this and stop its part of the capture.
If the menu/toolbar is used, the parent will send a break signal to the child
which will lead to the same sequence as described above.
Win32 only: as the windows implementation of signals simply doesn't work,
another pipe from the parent to the child is used to send a "close capture"
message instead of a signal.
Start capture
A capture is started, by specifying to start the capture at the command line,
trigger the OK button in the "Capture Options" dialog box and some more. The
capture start is actually done by calling the capture_start() function in
Capture child (Loop)
The capture child will open the target capture file, prepare pcap things,
init stop conditions, init the capture statistic dialog (if not hidden) and
start a loop which is running until the flag ld.go is FALSE.
Inside this loop,
-Qt main things are updated
-pcap_dispatch(capture_pcap_cb) is called
-the capture stop conditions are checked (ld.go is set to FALSE to finish)
-update the capture statistic dialog (if not hidden)
While this loop is running, the pcap_dispatch() will call capture_pcap_cb()
for every packet captured. Inside this, the packet data is converted into
wtap (wiretap) format and saved to file. Beside saving, it is trying to
do some basic dissecting (for the statistic window), by calling the
appropriate capture_xxx function.
When the user triggered a capture stop or one of the capture stop conditions
matched, the ld.go flag is set to FALSE, and the loop will stop shortly after.
Capture parent
In the capture parent the cap_pipe_input_cb() function is called "cyclically"
(unix:waiting for pipe, win32:timer,1000ms) to read data from the pipe and show
it on the main screen. While the capture is in progress, no other capture file
can be opened.
The actual packet capturing inside the libpcap is done using its own task.
Catching and processing the packet data from the libpcap is done using the
pcap_dispatch() function.