// WSDG Chapter Works [#ChapterWorks] == How Wireshark Works [#ChWorksIntro] === Introduction This chapter will give you a short overview of how Wireshark works. [#ChWorksOverview] === Overview The following will give you a simplified overview of Wireshark’s function blocks: [#ChWorksFigOverview] .Wireshark function blocks image::images/ws-function-blocks.png[{pdf-scaledwidth}] The function blocks in more detail: GUI:: Handling of all user input/output (all windows, dialogs and such). Source code can be found in the _ui/qt_ directory. Core:: Main "glue code" that holds the other blocks together. Source code can be found in the root directory. Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine. Source code can be found in the _epan_ directory. Epan provides the following APIs: * Protocol Tree. Dissection information for an individual packet. * Dissectors. The various protocol dissectors in _epan/dissectors_. * Dissector Plugins - Support for implementing dissectors as separate modules. Source code can be found in _plugins_. * Display Filters - The display filter engine at _epan/dfilter_. Wiretap:: The wiretap library is used to read and write capture files in libpcap, pcapng, and many other file formats. Source code is in the _wiretap_ directory. Capture:: The interface to the capture engine. Source code is in the root directory. Dumpcap:: The capture engine itself. This is the only part that executes with elevated privileges. Source code is in the root directory. Npcap and libpcap:: These are external libraries that provide packet capture and filtering support on different platforms. The filtering in Npcap and libpcap works at a much lower level than Wireshark’s display filters and uses a significantly different mechanism. That’s why there are different display and capture filter syntaxes. [#ChWorksCapturePackets] === Capturing packets Capturing takes packets from a network adapter and saves them to a file on your hard disk. Since raw network adapter access requires elevated privileges, these functions are isolated to the `dumpcap` program. Placing the capture functionality into `dumpcap` allows the rest of the code (dissectors, user interface, etc.) to run with normal user privileges. To hide all the low-level machine dependent details from Wireshark, the libpcap and Npcap (see <>) libraries are used. These libraries provide a general purpose interface to capture packets and are used by a wide variety of applications. [#ChWorksCaptureFiles] === Capture Files Wireshark can read and write capture files in its natural file formats, pcapng and pcap, which are used by many other network capturing tools, such as tcpdump. Additionally, Wireshark supports reading and writing packet capture files in formats used by other network capture tools. This support is implemented in Wireshark's wiretap library, which provides a general purpose interface for reading and writing packet capture formats and supports more than twenty packet capture formats. [#ChWorksDissectPackets] === Dissect packets Wireshark dissects packets in what it calls 'two-pass' dissection. Wireshark performs a first pass of dissecting all packets as they are loaded from the file. All packets are dissected sequentially and this information is used to populate Wireshark's packet list pane and to build state and other information needed when displaying the packet. Wireshark later performs 'second pass' ad-hoc dissections on the packets that it needs data from. This enables Wireshark to fill in fields that require future knowledge, like the 'response in frame #' fields, and correctly calculate reassembly frame dependencies. For example, Wireshark will perform an ad-hoc dissection when a user selects a packet (to display the packet details), calculates a statistic (so all values are computed), or performs another action that requires packet data. However, because Wireshark may only dissect the packets that are needed, there is no guarantee that Wireshark will dissect all packets again, nor is there any guarantee as to the order that the packets will be dissected after the first pass. // End of WSDG Chapter Works