forked from osmocom/wireshark
108 lines
3.6 KiB
Plaintext
108 lines
3.6 KiB
Plaintext
// WSDG Chapter Works
|
||
|
||
[[ChapterWorks]]
|
||
|
||
== How Wireshark Works
|
||
|
||
[[ChWorksIntro]]
|
||
|
||
=== Introduction
|
||
|
||
This chapter will give you a short overview of how Wireshark works.
|
||
|
||
[[ChWorksOverview]]
|
||
|
||
=== Overview
|
||
|
||
The following will give you a simplified overview of Wireshark’s function blocks:
|
||
|
||
[[ChWorksFigOverview]]
|
||
|
||
.Wireshark function blocks
|
||
image::wsdg_graphics/ws-function-blocks.png[{pdf-scaledwidth}]
|
||
|
||
The function blocks in more detail:
|
||
|
||
GUI:: Handling of all user input/output (all windows, dialogs and such).
|
||
Source code can be found in the _ui/qt_ directory.
|
||
|
||
Core:: Main "glue code" that holds the other blocks together. Source
|
||
code can be found in the root directory.
|
||
|
||
Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
|
||
Source code can be found in the _epan_ directory. Epan provides
|
||
the following APIs:
|
||
|
||
* Protocol Tree. Dissection information for an individual packet.
|
||
|
||
* Dissectors. The various protocol dissectors in
|
||
_epan/dissectors_.
|
||
|
||
* Dissector Plugins - Support for implementing dissectors as separate modules.
|
||
Source code can be found in _plugins_.
|
||
|
||
* Display Filters - The display filter engine at
|
||
_epan/dfilter_.
|
||
|
||
Wiretap:: The wiretap library is used to read and write capture files in libpcap,
|
||
pcapng, and many other file formats. Source code is in the
|
||
_wiretap_ directory.
|
||
|
||
Capture:: The interface with the capture engine. Source code is in the
|
||
root directory.
|
||
|
||
Dumpcap:: The capture engine itself. This is the only part that is to execute
|
||
with elevated privileges. Source code is in the root directory.
|
||
|
||
WinPcap and libpcap:: These are separate libraries that provide packet capture
|
||
and filtering support on different platforms. The filtering WinPcap and libpcap
|
||
works at a much lower level than Wireshark’s display filters and uses a
|
||
significantly different mechanism. That’s why we have different display and
|
||
capture filter syntaxes.
|
||
|
||
|
||
[[ChWorksCapturePackets]]
|
||
|
||
=== Capturing packets
|
||
|
||
Capturing takes packets from a network adapter and saves them to a file
|
||
on your hard disk.
|
||
|
||
Since raw network adapter access requires elevated privileges these functions
|
||
are isolated into the `dumpcap` program. It’s only this program that needs these
|
||
privileges, allowing the main part of the code (dissectors, user interface,
|
||
etc) to run with normal user privileges.
|
||
|
||
To hide all the low-level machine dependent details from Wireshark, the libpcap
|
||
and WinPcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
|
||
general purpose interface to capture packets and are used by a wide variety of
|
||
applications.
|
||
|
||
[[ChWorksCaptureFiles]]
|
||
|
||
=== Capture Files
|
||
|
||
Wireshark can read and write capture files in its natural file formats, pcapng
|
||
and pcap, which are used by many other network capturing tools, such as tcpdump.
|
||
In addition to this, as one of its strengths, Wireshark can read and write files
|
||
in many different file formats of other network capturing tools. The wiretap
|
||
library, developed together with Wireshark, provides a general purpose interface
|
||
to read and write all the file formats. If you need to add support for another
|
||
capture file format this is the place to start.
|
||
|
||
[[ChWorksDissectPackets]]
|
||
|
||
=== Dissect packets
|
||
|
||
While Wireshark is loading packets from a file each packet is dissected.
|
||
Wireshark tries to detect the packet type and gets as much information from the
|
||
packet as possible. In this run though, only the information shown in the packet
|
||
list pane is needed.
|
||
|
||
As the user selects a specific packet in the packet list pane this packet will
|
||
be dissected again. This time, Wireshark tries to get every single piece of
|
||
information and put it into the packet details pane.
|
||
|
||
// End of WSDG Chapter Works
|
||
|