This chapter will give you a short overview, how Ethereal is working.

The following will give you a simplified overview of Ethereals function blocks:

The function blocks in more detail: GTK 1/2 Handling of all user input/output (all windows, dialogs and such). Source code can be found in the gtk directory. Core Main "glue code" that holds the other blocks together, source code can be found in the root directory. Epan Ethereal Package ANalyzing (XXX - is this correct?) the packet analyzing engine, source code can be found in the epan directory. Protocol-Tree - Keep data of the capture file protocol information. Dissectors - The various protocol dissectors in epan/dissectors. Plugins - Some of the protocol dissectors are implemented as plugins, source code at plugins. Display-Filters - the display filter engine at epan/dfilter. Capture Capture engine. Wiretap The wiretap library is used to read/write capture files in libpcap and a lot of other file formats, the source code is in the wiretap directory. Win-/libpcap (not part of the Ethereal package) The platform dependant packet capture library, including the capture filter engine. That's the reason why we still have different display and capture filter syntax, as two different filtering engines used.

Capturing will take packets from a network adapter, and save them to a file on your harddisk. To hide all the lowlevel machine dependant details from Ethereal, the libpcap/WinPcap (see ) library is used. This library provides a general purpose interface to capture packets from a lot of different network interface types (Ethernet, Token Ring, ...).

Ethereal can read and write capture files in it's natural file format, the libpcap format, which is used by many other network capturing tools, e.g. tcpdump. In addition to this, as one of it's strengths, Ethereal can read/write files in many different file formats of other network capturing tools. The wiretap library, developed together with Ethereal, provides a general purpose interface to read/write all the file formats. If you need to add another capture file format, this is the place to start.

While Ethereal is loading packets from a file, each packet is dissected. Ethereal tries to detect what kind of packet it is and getting as much information from it as possible. In this run, only the information showed in the packet list pane is needed though. As the user selects a specific packet in the packet list pane, this packet will be dissected again. This time, Ethereal tries to get every single piece of information and put it into the packet details pane then.