diff options
Diffstat (limited to 'docbook/wsdg_src/wsdg_works.adoc')
| -rw-r--r-- | docbook/wsdg_src/wsdg_works.adoc | 119 |
1 files changed, 0 insertions, 119 deletions
diff --git a/docbook/wsdg_src/wsdg_works.adoc b/docbook/wsdg_src/wsdg_works.adoc deleted file mode 100644 index baa75403..00000000 --- a/docbook/wsdg_src/wsdg_works.adoc +++ /dev/null @@ -1,119 +0,0 @@ -// WSDG Chapter Works - -[#ChapterWorks] - -== How Wireshark Works - -[#ChWorksIntro] - -=== Introduction - -This chapter will give you a short overview of how Wireshark works. - -[#ChWorksOverview] - -=== Overview - -The following will give you a simplified overview of Wireshark’s function blocks: - -[#ChWorksFigOverview] - -.Wireshark function blocks -image::images/ws-function-blocks.png[{pdf-scaledwidth}] - -The function blocks in more detail: - -GUI:: Handling of all user input/output (all windows, dialogs and such). -Source code can be found in the _ui/qt_ directory. - -Core:: Main "glue code" that holds the other blocks together. Source -code can be found in the root directory. - -Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine. -Source code can be found in the _epan_ directory. Epan provides -the following APIs: - -* Protocol Tree. Dissection information for an individual packet. - -* Dissectors. The various protocol dissectors in -_epan/dissectors_. - -* Dissector Plugins - Support for implementing dissectors as separate modules. -Source code can be found in _plugins_. - -* Display Filters - The display filter engine at -_epan/dfilter_. - -Wiretap:: The wiretap library is used to read and write capture files in libpcap, -pcapng, and many other file formats. Source code is in the -_wiretap_ directory. - -Capture:: The interface to the capture engine. Source code is in the -root directory. - -Dumpcap:: The capture engine itself. This is the only part that executes with -elevated privileges. Source code is in the root directory. - -Npcap and libpcap:: These are external libraries that provide packet capture -and filtering support on different platforms. The filtering in Npcap and libpcap -works at a much lower level than Wireshark’s display filters and uses a -significantly different mechanism. That’s why there are different display and -capture filter syntaxes. - - -[#ChWorksCapturePackets] - -=== Capturing packets - -Capturing takes packets from a network adapter and saves them to a file -on your hard disk. - -Since raw network adapter access requires elevated privileges, these functions -are isolated to the `dumpcap` program. Placing the capture functionality -into `dumpcap` allows the rest of the code (dissectors, user interface, -etc.) to run with normal user privileges. - -To hide all the low-level machine dependent details from Wireshark, the libpcap -and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a -general purpose interface to capture packets and are used by a wide variety of -applications. - -[#ChWorksCaptureFiles] - -=== Capture Files - -Wireshark can read and write capture files in its natural file formats, pcapng -and pcap, which are used by many other network capturing tools, such as tcpdump. -Additionally, Wireshark supports reading and writing packet capture files -in formats used by other network capture tools. This support is implemented in -Wireshark's wiretap library, which provides a general purpose interface for -reading and writing packet capture formats and supports more than twenty -packet capture formats. - -[#ChWorksDissectPackets] - -=== Dissect packets - -Wireshark dissects packets in what it calls 'two-pass' dissection. - -Wireshark performs a first pass of dissecting all packets as they are loaded -from the file. All packets are dissected sequentially and this information -is used to populate Wireshark's packet list pane and to build state and -other information needed when displaying the packet. - -Wireshark later performs 'second pass' ad-hoc dissections on the -packets that it needs data from. This enables Wireshark to fill in fields that -require future knowledge, like the 'response in frame #' fields, -and correctly calculate reassembly frame dependencies. - -For example, Wireshark will perform an ad-hoc dissection when a user selects -a packet (to display the packet details), -calculates a statistic (so all values are computed), -or performs another action that requires packet data. -However, because Wireshark may only dissect -the packets that are needed, there is no guarantee that -Wireshark will dissect all packets again, nor is there any guarantee as to the -order that the packets will be dissected after the first pass. - -// End of WSDG Chapter Works - |