forked from osmocom/wireshark
169 lines
5.4 KiB
XML
169 lines
5.4 KiB
XML
<!-- WSDG Chapter Works -->
|
|
<!-- $Id$ -->
|
|
|
|
<chapter id="ChapterWorks">
|
|
<title>How Wireshark Works</title>
|
|
|
|
<section id="ChWorksIntro">
|
|
<title>Introduction</title>
|
|
<para>
|
|
This chapter will give you a short overview of how Wireshark works.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChWorksOverview">
|
|
<title>Overview</title>
|
|
<para>
|
|
The following will give you a simplified overview of Wireshark's function blocks:
|
|
<figure id="ChWorksFigOverview">
|
|
<title>
|
|
<application>Wireshark</application> function blocks.
|
|
</title>
|
|
<graphic entityref="WiresharkFunctionBlocks" format="PNG"/>
|
|
</figure>
|
|
</para>
|
|
<para>
|
|
The function blocks in more detail:
|
|
<variablelist>
|
|
<varlistentry><term><command>GTK+ 2</command></term>
|
|
<listitem>
|
|
<para>
|
|
Handling of all user input/output (all windows, dialogs and such).
|
|
Source code can be found in the <filename>gtk</filename> directory.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>Core</command></term>
|
|
<listitem>
|
|
<para>
|
|
Main "glue code" that holds the other blocks together. Source
|
|
code can be found in the root directory.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>Epan</command></term>
|
|
<listitem>
|
|
<para>
|
|
Ethereal Packet ANalyzer - the packet analyzing engine.
|
|
Source code can be found in the <filename>epan</filename> directory.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>
|
|
Protocol-Tree - Keep data of the capture file protocol information.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Dissectors - The various protocol dissectors in
|
|
<filename>epan/dissectors</filename>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Dissector-Plugins - Some of the protocol dissectors are implemented
|
|
as plugins. Source code can be found in <filename>plugins</filename>.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>
|
|
Display-Filters - the display filter engine at
|
|
<filename>epan/dfilter</filename>.
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>Wiretap</command></term>
|
|
<listitem>
|
|
<para>
|
|
The wiretap library is used to read/write capture files in libpcap
|
|
and a lot of other file formats. Source code in the
|
|
<filename>wiretap</filename> directory.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>Capture</command></term>
|
|
<listitem>
|
|
<para>
|
|
The interface with the capture engine. Source code in the
|
|
root directory.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry><term><command>Dumpcap</command></term>
|
|
<listitem>
|
|
<para>
|
|
The capture engine itself. This is the only part that is to execute
|
|
with elevated privileges. Source code in the root directory.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><command>WinPcap / libpcap (not part of the Wireshark package)</command></term>
|
|
<listitem>
|
|
<para>
|
|
The platform dependent packet capture library, including the capture
|
|
filter engine. That's the reason why we still have different display
|
|
and capture filter syntax, as two different filtering engines are used.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChWorksCapturePackets">
|
|
<title>Capturing packets</title>
|
|
<para>
|
|
Capturing will take packets from a network adapter, and save them to a file
|
|
on your harddisk.
|
|
</para>
|
|
<para>
|
|
Since raw network adapter access requires elevated privileges these functions
|
|
are isolated into the dumpcap program. It's only this program that needs these
|
|
privileges, allowing the main part of the code (dissectors, user interface,
|
|
etc) to run as normal user program.
|
|
</para>
|
|
<para>
|
|
To hide all the lowlevel machine dependent details from
|
|
Wireshark, the libpcap/WinPcap (see <xref linkend="ChLibsPcap"/>) library
|
|
is used. This library provides a general purpose interface to capture
|
|
packets from a lot of different network interface types (Ethernet,
|
|
Token Ring, ...).
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChWorksCaptureFiles">
|
|
<title>Capture Files</title>
|
|
<para>
|
|
Wireshark can read and write capture files in its natural file format, the
|
|
libpcap format, which is used by many other network capturing tools,
|
|
e.g. tcpdump. In addition to this, as one of its strengths,
|
|
Wireshark can read/write files in many different file formats of other
|
|
network capturing tools. The wiretap library, developed together with
|
|
Wireshark, provides a general purpose interface to read/write all the file
|
|
formats. If you need to add another capture file format, this is the place
|
|
to start.
|
|
</para>
|
|
</section>
|
|
|
|
<section id="ChWorksDissectPackets">
|
|
<title>Dissect packets</title>
|
|
<para>
|
|
While Wireshark is loading packets from a file, each packet is dissected.
|
|
Wireshark tries to detect the packet type and gets as much
|
|
information from the packet as possible. In this run though, only the information shown
|
|
in the packet list pane is needed.
|
|
</para>
|
|
<para>
|
|
As the user selects a specific packet in the packet list pane, this packet
|
|
will be dissected again. This time, Wireshark tries to
|
|
get every single piece of information and put it into
|
|
the packet details pane.
|
|
</para>
|
|
</section>
|
|
|
|
</chapter>
|
|
<!-- End of WSDG Chapter Works -->
|