How Wireshark WorksIntroduction
This chapter will give you a short overview, how Wireshark is working.
Overview
The following will give you a simplified overview of Wiresharks function blocks:
The function blocks in more detail:
GTK 1/2
Handling of all user input/output (all windows, dialogs and such).
Source code can be found in the gtk directory.
Core
Main "glue code" that holds the other blocks together, source
code can be found in the root directory.
Epan
Ethereal Packet ANalyzer (XXX - is this correct?) the packet
analyzing engine, source code can be found in the
epan directory.
Protocol-Tree - Keep data of the capture file protocol information.
Dissectors - The various protocol dissectors in
epan/dissectors.
Plugins - Some of the protocol dissectors are implemented as plugins, source
code at plugins.
Display-Filters - the display filter engine at
epan/dfilter.
Capture
Capture engine.
Wiretap
The wiretap library is used to read/write capture files in libpcap
and a lot of other file formats, the source code is in the
wiretap directory.
Win-/libpcap (not part of the Wireshark package)
The platform dependant packet capture library, including the capture
filter engine. That's the reason why we still have different display
and capture filter syntax, as two different filtering engines used.
Capturing packets
Capturing will take packets from a network adapter, and save them to a file
on your harddisk.
To hide all the lowlevel machine dependant details from
Wireshark, the libpcap/WinPcap (see ) library
is used. This library provides a general purpose interface to capture
packets from a lot of different network interface types (Ethernet,
Token Ring, ...).
Capture Files
Wireshark can read and write capture files in it's natural file format, the
libpcap format, which is used by many other network capturing tools,
e.g. tcpdump. In addition to this, as one of it's strengths,
Wireshark can read/write files in many different file formats of other
network capturing tools. The wiretap library, developed together with
Wireshark, provides a general purpose interface to read/write all the file
formats. If you need to add another capture file format, this is the place
to start.
Dissect packets
While Wireshark is loading packets from a file, each packet is dissected.
Wireshark tries to detect what kind of packet it is and getting as much
information from it as possible. In this run, only the information showed
in the packet list pane is needed though.
As the user selects a specific packet in the packet list pane, this packet
will be dissected again. This time, Wireshark tries to
get every single piece of information and put it into
the packet details pane then.