2018-02-05 16:59:45 +00:00
|
|
|
|
// WSUG Appendix How it Works
|
2014-11-09 18:07:46 +00:00
|
|
|
|
|
|
|
|
|
[[AppHowItWorks]]
|
|
|
|
|
|
|
|
|
|
[appendix]
|
|
|
|
|
== How Wireshark Works
|
|
|
|
|
|
2018-02-04 23:15:02 +00:00
|
|
|
|
When using such a complex program like Wireshark, it’s sometimes useful to
|
2014-11-09 18:07:46 +00:00
|
|
|
|
understand the mechanisms and concepts behind the surface. This is an approach
|
|
|
|
|
to shed some light on the inner workings of Wireshark.
|
|
|
|
|
|
|
|
|
|
=== Program start
|
|
|
|
|
|
|
|
|
|
When Wireshark starts, a lot of things are done:
|
|
|
|
|
|
|
|
|
|
* Initialize the dissectors (register the protocol tree), including plugins
|
|
|
|
|
|
|
|
|
|
* Load and set values from the preferences file
|
|
|
|
|
|
|
|
|
|
* Load the capture filters from the cfilters file
|
|
|
|
|
|
|
|
|
|
* Load the display filters from the dfilters file
|
|
|
|
|
|
|
|
|
|
* Load and set the disabled protocols from the disabled_protos file
|
|
|
|
|
|
2019-03-29 01:06:23 +00:00
|
|
|
|
* Init libpcap/Npcap (the capturing engine)
|
2014-11-09 18:07:46 +00:00
|
|
|
|
|
|
|
|
|
* Process command line parameters
|
|
|
|
|
|
|
|
|
|
* Load and set the recently used GUI settings from the recent file
|
|
|
|
|
|
|
|
|
|
* Init and show the main screen
|
|
|
|
|
|
|
|
|
|
* If specified by command line, load a capture file or start capturing
|
|
|
|
|
|
|
|
|
|
=== Protocol dissectors
|
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
Each protocol has its own protocol dissector. When processing network data,
|
|
|
|
|
Wireshark calls the dissector that seems relevant to the packet data. The
|
|
|
|
|
dissector will then process the packet data and send any unprocessed data
|
|
|
|
|
back to Wireshark for further dissection.
|
2014-11-09 18:07:46 +00:00
|
|
|
|
|
|
|
|
|
So Wireshark will dissect a packet from the lowest to the highest protocol
|
|
|
|
|
layers.
|
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
But how does Wireshark know which dissector to use?
|
2014-11-09 18:07:46 +00:00
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
When Wireshark starts each dissector registers itself in one of two ways:
|
2014-11-09 18:07:46 +00:00
|
|
|
|
|
2019-06-14 23:03:17 +00:00
|
|
|
|
* _Static_. If the dissector knows a specific value of a lower layer, it can
|
2018-02-04 23:15:02 +00:00
|
|
|
|
directly register itself there (e.g. the HTTP dissector “knows”, that
|
2014-11-09 18:07:46 +00:00
|
|
|
|
typically the well known TCP port 80 is used to transport HTTP data).
|
|
|
|
|
|
|
|
|
|
* _Heuristic_. If no such well known way exists, the dissector
|
|
|
|
|
can register itself for the heuristic mechanism. If a lower layer dissector
|
|
|
|
|
has to handle some packet data where no well known way exists, it can
|
2018-02-04 23:15:02 +00:00
|
|
|
|
handover the packet to Wireshark’s heuristic mechanism. This will ask all
|
2019-06-14 23:03:17 +00:00
|
|
|
|
registered upper layer dissectors, if they “like” that data. These
|
|
|
|
|
dissectors typically look at the first few bytes of the packet, to see if they
|
|
|
|
|
contain some characteristic data of that protocol and then
|
|
|
|
|
decide whether or not to dissect that packet.
|
2014-11-09 18:07:46 +00:00
|
|
|
|
|
2018-02-26 01:50:01 +00:00
|
|
|
|
Let’s look at an example. We’ll assume, Wireshark loads a TCP/IP/Ethernet
|
2014-11-09 18:07:46 +00:00
|
|
|
|
packet. Wireshark will call the Ethernet dissector, which will dissect the
|
2019-06-14 23:03:17 +00:00
|
|
|
|
Ethernet related data (usually the first 6 + 6 + 2 bytes). The Ethernet
|
|
|
|
|
dissector then passes the rest of the data back to Wireshark.
|
2014-11-09 18:07:46 +00:00
|
|
|
|
Wireshark in turn will call the next related dissector, in our case the IP
|
2019-06-14 23:03:17 +00:00
|
|
|
|
dissector (because of the value 0x800 in the Ethernet type field). This
|
|
|
|
|
will continue until no more data has to be dissected, or the data is
|
2014-11-09 18:07:46 +00:00
|
|
|
|
unknown to Wireshark.
|
|
|
|
|
|
|
|
|
|
You can control the way Wireshark calls its dissectors, see
|
|
|
|
|
<<ChAdvProtocolDissectionSection>> for details.
|
|
|
|
|
|
2018-02-05 16:59:45 +00:00
|
|
|
|
// End of WSUG Appendix How it Works
|