120 lines
4.1 KiB
Plaintext
120 lines
4.1 KiB
Plaintext
// WSDG Chapter Works
|
||
|
||
[[ChapterWorks]]
|
||
|
||
== How Wireshark Works
|
||
|
||
[[ChWorksIntro]]
|
||
|
||
=== Introduction
|
||
|
||
This chapter will give you a short overview of how Wireshark works.
|
||
|
||
[[ChWorksOverview]]
|
||
|
||
=== Overview
|
||
|
||
The following will give you a simplified overview of Wireshark’s function blocks:
|
||
|
||
[[ChWorksFigOverview]]
|
||
|
||
.Wireshark function blocks
|
||
image::wsdg_graphics/ws-function-blocks.png[{pdf-scaledwidth}]
|
||
|
||
The function blocks in more detail:
|
||
|
||
GUI:: Handling of all user input/output (all windows, dialogs and such).
|
||
Source code can be found in the _ui/qt_ directory.
|
||
|
||
Core:: Main "glue code" that holds the other blocks together. Source
|
||
code can be found in the root directory.
|
||
|
||
Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
|
||
Source code can be found in the _epan_ directory. Epan provides
|
||
the following APIs:
|
||
|
||
* Protocol Tree. Dissection information for an individual packet.
|
||
|
||
* Dissectors. The various protocol dissectors in
|
||
_epan/dissectors_.
|
||
|
||
* Dissector Plugins - Support for implementing dissectors as separate modules.
|
||
Source code can be found in _plugins_.
|
||
|
||
* Display Filters - The display filter engine at
|
||
_epan/dfilter_.
|
||
|
||
Wiretap:: The wiretap library is used to read and write capture files in libpcap,
|
||
pcapng, and many other file formats. Source code is in the
|
||
_wiretap_ directory.
|
||
|
||
Capture:: The interface to the capture engine. Source code is in the
|
||
root directory.
|
||
|
||
Dumpcap:: The capture engine itself. This is the only part that executes with
|
||
elevated privileges. Source code is in the root directory.
|
||
|
||
Npcap and libpcap:: These are external libraries that provide packet capture
|
||
and filtering support on different platforms. The filtering in Npcap and libpcap
|
||
works at a much lower level than Wireshark’s display filters and uses a
|
||
significantly different mechanism. That’s why there are different display and
|
||
capture filter syntaxes.
|
||
|
||
|
||
[[ChWorksCapturePackets]]
|
||
|
||
=== Capturing packets
|
||
|
||
Capturing takes packets from a network adapter and saves them to a file
|
||
on your hard disk.
|
||
|
||
Since raw network adapter access requires elevated privileges, these functions
|
||
are isolated to the `dumpcap` program. Placing the capture functionality
|
||
into `dumpcap` allows the rest of the code (dissectors, user interface,
|
||
etc.) to run with normal user privileges.
|
||
|
||
To hide all the low-level machine dependent details from Wireshark, the libpcap
|
||
and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
|
||
general purpose interface to capture packets and are used by a wide variety of
|
||
applications.
|
||
|
||
[[ChWorksCaptureFiles]]
|
||
|
||
=== Capture Files
|
||
|
||
Wireshark can read and write capture files in its natural file formats, pcapng
|
||
and pcap, which are used by many other network capturing tools, such as tcpdump.
|
||
Additionally, Wireshark supports reading and writing packet capture files
|
||
in formats used by other network capture tools. This support is implemented in
|
||
Wireshark's wiretap library, which provides a general purpose interface for
|
||
reading and writing packet capture formats and supports more than twenty
|
||
packet capture formats.
|
||
|
||
[[ChWorksDissectPackets]]
|
||
|
||
=== Dissect packets
|
||
|
||
Wireshark dissects packets in what it calls 'two-pass' dissection.
|
||
|
||
Wireshark performs a first pass of dissecting all packets as they are loaded
|
||
from the file. All packets are dissected sequentially and this information
|
||
is used to populate Wireshark's packet list pane and to build state and
|
||
other information needed when displaying the packet.
|
||
|
||
Wireshark later performs 'second pass' ad-hoc dissections on the
|
||
packets that it needs data from. This enables Wireshark to fill in fields that
|
||
require future knowledge, like the 'response in frame #' fields,
|
||
and correctly calculate reassembly frame dependencies.
|
||
|
||
For example, Wireshark will perform an ad-hoc dissection when a user selects
|
||
a packet (to display the packet details),
|
||
calculates a statistic (so all values are computed),
|
||
or performs another action that requires packet data.
|
||
However, because Wireshark may only dissect
|
||
the packets that are needed, there is no guarantee that
|
||
Wireshark will dissect all packets again, nor is there any guarantee as to the
|
||
order that the packets will be dissected after the first pass.
|
||
|
||
// End of WSDG Chapter Works
|
||
|