6.2. Overview

The following will give you a simplified overview of Wireshark’s function blocks:

Figure 6.1. Wireshark function blocks

wsdg_graphics/ws-function-blocks.png

The function blocks in more detail: GTK+ 2:: Handling of all user input/output (all windows, dialogs and such). Source code can be found in the ui/gtk directory.

Core
Main "glue code" that holds the other blocks together. Source code can be found in the root directory.
Epan

Ethereal Packet ANalyzer — the packet analyzing engine. Source code can be found in the epan directory. Epan provides the following APIs:

  • Protocol Tree. Dissection information for an individual packet.
  • Dissectors. The various protocol dissectors in epan/dissectors.
  • Dissector Plugins - Support for implementing dissectors as separate modules. Source code can be found in plugins.
  • Display Filters - The display filter engine at epan/dfilter.
Wiretap
The wiretap library is used to read andwrite capture files in libpcap, pcapng, and many other file formats. Source code is in the wiretap directory.
Capture
The interface with the capture engine. Source code in the root directory.
Dumpcap
The capture engine itself. This is the only part that is to execute with elevated privileges. Source code in the root directory.
WinPcap and libpcap
These are separate libraries that provide packet capture and filtering support on different platforms. The filtering WinPcap and libpcap works at a much lower level than Wireshark’s display filters and uses a significantly different mechanism. That’s why we have different display and capture filter syntaxes.