The following will give you a simplified overview of Wireshark’s function blocks:
Figure 6.1. Wireshark function blocks
The function blocks in more detail:
GTK+ 2:: Handling of all user input/output (all windows, dialogs and such).
Source code can be found in the ui/gtk directory.
Main "glue code" that holds the other blocks together. Source
code can be found in the root directory.
Ethereal Packet ANalyzer — the packet analyzing engine.
Source code can be found in the epan directory. Epan provides
the following APIs:
Protocol Tree. Dissection information for an individual packet.
Dissectors. The various protocol dissectors in
Dissector Plugins - Support for implementing dissectors as separate modules.
Source code can be found in plugins.
Display Filters - The display filter engine at
The wiretap library is used to read and write capture files in libpcap,
pcapng, and many other file formats. Source code is in the
The interface with the capture engine. Source code is in the
The capture engine itself. This is the only part that is to execute
with elevated privileges. Source code is in the root directory.
WinPcap and libpcap
These are separate libraries that provide packet capture
and filtering support on different platforms. The filtering WinPcap and libpcap
works at a much lower level than Wireshark’s display filters and uses a
significantly different mechanism. That’s why we have different display and
capture filter syntaxes.