summaryrefslogtreecommitdiffstats
path: root/docbook/wsdg_src/wsdg_works.adoc
blob: baa754037f580e3103d6ba37c81c87f53ca60a01 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
// WSDG Chapter Works

[#ChapterWorks]

== How Wireshark Works

[#ChWorksIntro]

=== Introduction

This chapter will give you a short overview of how Wireshark works.

[#ChWorksOverview]

=== Overview

The following will give you a simplified overview of Wireshark’s function blocks:

[#ChWorksFigOverview]

.Wireshark function blocks
image::images/ws-function-blocks.png[{pdf-scaledwidth}]

The function blocks in more detail:

GUI:: Handling of all user input/output (all windows, dialogs and such).
Source code can be found in the _ui/qt_ directory.

Core:: Main "glue code" that holds the other blocks together. Source
code can be found in the root directory.

Epan:: Enhanced Packet ANalyzer -- the packet analyzing engine.
Source code can be found in the _epan_ directory. Epan provides
the following APIs:

* Protocol Tree. Dissection information for an individual packet.

* Dissectors. The various protocol dissectors in
_epan/dissectors_.

* Dissector Plugins - Support for implementing dissectors as separate modules.
Source code can be found in _plugins_.

* Display Filters - The display filter engine at
_epan/dfilter_.

Wiretap:: The wiretap library is used to read and write capture files in libpcap,
pcapng, and many other file formats. Source code is in the
_wiretap_ directory.

Capture:: The interface to the capture engine. Source code is in the
root directory.

Dumpcap:: The capture engine itself. This is the only part that executes with
elevated privileges. Source code is in the root directory.

Npcap and libpcap:: These are external libraries that provide packet capture
and filtering support on different platforms. The filtering in Npcap and libpcap
works at a much lower level than Wireshark’s display filters and uses a
significantly different mechanism. That’s why there are different display and
capture filter syntaxes.


[#ChWorksCapturePackets]

=== Capturing packets

Capturing takes packets from a network adapter and saves them to a file
on your hard disk.

Since raw network adapter access requires elevated privileges, these functions
are isolated to the `dumpcap` program. Placing the capture functionality
into `dumpcap` allows the rest of the code (dissectors, user interface,
etc.) to run with normal user privileges.

To hide all the low-level machine dependent details from Wireshark, the libpcap
and Npcap (see <<ChLibsPcap>>) libraries are used. These libraries provide a
general purpose interface to capture packets and are used by a wide variety of
applications.

[#ChWorksCaptureFiles]

=== Capture Files

Wireshark can read and write capture files in its natural file formats, pcapng
and pcap, which are used by many other network capturing tools, such as tcpdump.
Additionally, Wireshark supports reading and writing packet capture files
in formats used by other network capture tools. This support is implemented in
Wireshark's wiretap library, which provides a general purpose interface for
reading and writing packet capture formats and supports more than twenty
packet capture formats.

[#ChWorksDissectPackets]

=== Dissect packets

Wireshark dissects packets in what it calls 'two-pass' dissection.

Wireshark performs a first pass of dissecting all packets as they are loaded
from the file. All packets are dissected sequentially and this information
is used to populate Wireshark's packet list pane and to build state and
other information needed when displaying the packet.

Wireshark later performs 'second pass' ad-hoc dissections on the
packets that it needs data from. This enables Wireshark to fill in fields that
require future knowledge, like the 'response in frame #' fields,
and correctly calculate reassembly frame dependencies.

For example, Wireshark will perform an ad-hoc dissection when a user selects
a packet (to display the packet details),
calculates a statistic (so all values are computed),
or performs another action that requires packet data.
However, because Wireshark may only dissect
the packets that are needed, there is no guarantee that
Wireshark will dissect all packets again, nor is there any guarantee as to the
order that the packets will be dissected after the first pass.

// End of WSDG Chapter Works