wireshark/docbook/wsdg_src/WSDG_chapter_works.asciidoc

108 lines
3.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// WSDG Chapter Works
[[ChapterWorks]]
== How Wireshark Works
[[ChWorksIntro]]
=== Introduction
This chapter will give you a short overview of how Wireshark works.
[[ChWorksOverview]]
=== Overview
The following will give you a simplified overview of Wiresharks function blocks:
[[ChWorksFigOverview]]
.Wireshark function blocks
image::wsdg_graphics/ws-function-blocks.png[{pdf-scaledwidth}]
The function blocks in more detail:
GUI:: Handling of all user input/output (all windows, dialogs and such).
Source code can be found in the _ui/qt_ directory.
Core:: Main "glue code" that holds the other blocks together. Source
code can be found in the root directory.
Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
Source code can be found in the _epan_ directory. Epan provides
the following APIs:
* Protocol Tree. Dissection information for an individual packet.
* Dissectors. The various protocol dissectors in
_epan/dissectors_.
* Dissector Plugins - Support for implementing dissectors as separate modules.
Source code can be found in _plugins_.
* Display Filters - The display filter engine at
_epan/dfilter_.
Wiretap:: The wiretap library is used to read and write capture files in libpcap,
pcapng, and many other file formats. Source code is in the
_wiretap_ directory.
Capture:: The interface with the capture engine. Source code is in the
root directory.
Dumpcap:: The capture engine itself. This is the only part that is to execute
with elevated privileges. Source code is in the root directory.
WinPcap and libpcap:: These are separate libraries that provide packet capture
and filtering support on different platforms. The filtering WinPcap and libpcap
works at a much lower level than Wiresharks display filters and uses a
significantly different mechanism. Thats why we have different display and
capture filter syntaxes.
[[ChWorksCapturePackets]]
=== Capturing packets
Capturing takes packets from a network adapter and saves them to a file
on your hard disk.
Since raw network adapter access requires elevated privileges these functions
are isolated into the `dumpcap` program. Its only this program that needs these
privileges, allowing the main part of the code (dissectors, user interface,
etc) to run with normal user privileges.
To hide all the low-level machine dependent details from Wireshark, the libpcap
and WinPcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
general purpose interface to capture packets and are used by a wide variety of
applications.
[[ChWorksCaptureFiles]]
=== Capture Files
Wireshark can read and write capture files in its natural file formats, pcapng
and pcap, which are used by many other network capturing tools, such as tcpdump.
In addition to this, as one of its strengths, Wireshark can read and write files
in many different file formats of other network capturing tools. The wiretap
library, developed together with Wireshark, provides a general purpose interface
to read and write all the file formats. If you need to add support for another
capture file format this is the place to start.
[[ChWorksDissectPackets]]
=== Dissect packets
While Wireshark is loading packets from a file each packet is dissected.
Wireshark tries to detect the packet type and gets as much information from the
packet as possible. In this run though, only the information shown in the packet
list pane is needed.
As the user selects a specific packet in the packet list pane this packet will
be dissected again. This time, Wireshark tries to get every single piece of
information and put it into the packet details pane.
// End of WSDG Chapter Works