summaryrefslogtreecommitdiffstats
path: root/doc/wsdg_src/wsdg_works.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wsdg_src/wsdg_works.adoc')
-rw-r--r--doc/wsdg_src/wsdg_works.adoc119
1 files changed, 119 insertions, 0 deletions
diff --git a/doc/wsdg_src/wsdg_works.adoc b/doc/wsdg_src/wsdg_works.adoc
new file mode 100644
index 00000000..88c2f7a5
--- /dev/null
+++ b/doc/wsdg_src/wsdg_works.adoc
@@ -0,0 +1,119 @@
+// WSDG Chapter Works
+
+[#ChapterWorks]
+
+== How Wireshark Works
+
+[#ChWorksIntro]
+
+=== Introduction
+
+This chapter will give you a short overview of how Wireshark works.
+
+[#ChWorksOverview]
+
+=== Overview
+
+The following will give you a simplified overview of Wireshark’s function blocks:
+
+[#ChWorksFigOverview]
+
+.Wireshark function blocks
+image::images/ws-function-blocks.svg[{pdf-scaledwidth}]
+
+The function blocks in more detail:
+
+GUI:: Handling of all user input/output (all windows, dialogs and such).
+Source code can be found in the _ui/qt_ directory.
+
+Core:: Main "glue code" that holds the other blocks together. Source
+code can be found in the root directory.
+
+Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
+Source code can be found in the _epan_ directory. Epan provides
+the following APIs:
+
+* Protocol Tree. Dissection information for an individual packet.
+
+* Dissectors. The various protocol dissectors in
+_epan/dissectors_.
+
+* Dissector Plugins - Support for implementing dissectors as separate modules.
+Source code can be found in _plugins_.
+
+* Display Filters - The display filter engine at
+_epan/dfilter_.
+
+Wiretap:: The wiretap library is used to read and write capture files in libpcap,
+pcapng, and many other file formats. Source code is in the
+_wiretap_ directory.
+
+Capture:: The interface to the capture engine. Source code is in the
+root directory.
+
+Dumpcap:: The capture engine itself. This is the only part that executes with
+elevated privileges. Source code is in the root directory.
+
+Npcap and libpcap:: These are external libraries that provide packet capture
+and filtering support on different platforms. The filtering in Npcap and libpcap
+works at a much lower level than Wireshark’s display filters and uses a
+significantly different mechanism. That’s why there are different display and
+capture filter syntaxes.
+
+
+[#ChWorksCapturePackets]
+
+=== Capturing packets
+
+Capturing takes packets from a network adapter and saves them to a file
+on your hard disk.
+
+Since raw network adapter access requires elevated privileges, these functions
+are isolated to the `dumpcap` program. Placing the capture functionality
+into `dumpcap` allows the rest of the code (dissectors, user interface,
+etc.) to run with normal user privileges.
+
+To hide all the low-level machine dependent details from Wireshark, the libpcap
+and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
+general purpose interface to capture packets and are used by a wide variety of
+applications.
+
+[#ChWorksCaptureFiles]
+
+=== Capture Files
+
+Wireshark can read and write capture files in its natural file formats, pcapng
+and pcap, which are used by many other network capturing tools, such as tcpdump.
+Additionally, Wireshark supports reading and writing packet capture files
+in formats used by other network capture tools. This support is implemented in
+Wireshark's wiretap library, which provides a general purpose interface for
+reading and writing packet capture formats and supports more than twenty
+packet capture formats.
+
+[#ChWorksDissectPackets]
+
+=== Dissect packets
+
+Wireshark dissects packets in what it calls 'two-pass' dissection.
+
+Wireshark performs a first pass of dissecting all packets as they are loaded
+from the file. All packets are dissected sequentially and this information
+is used to populate Wireshark's packet list pane and to build state and
+other information needed when displaying the packet.
+
+Wireshark later performs 'second pass' ad-hoc dissections on the
+packets that it needs data from. This enables Wireshark to fill in fields that
+require future knowledge, like the 'response in frame #' fields,
+and correctly calculate reassembly frame dependencies.
+
+For example, Wireshark will perform an ad-hoc dissection when a user selects
+a packet (to display the packet details),
+calculates a statistic (so all values are computed),
+or performs another action that requires packet data.
+However, because Wireshark may only dissect
+the packets that are needed, there is no guarantee that
+Wireshark will dissect all packets again, nor is there any guarantee as to the
+order that the packets will be dissected after the first pass.
+
+// End of WSDG Chapter Works
+
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-15 10:59:11 +0000