7.2. Overview

The following will give you a simplified overview of Wireshark’s function blocks:

Figure 7.1. Wireshark function blocks

ws function blocks

The function blocks in more detail:

Handling of all user input/output (all windows, dialogs and such). Source code can be found in the ui/qt directory.
Main "glue code" that holds the other blocks together. Source code can be found in the root directory.

Enhanced Packet ANalyzer — the packet analyzing engine. Source code can be found in the epan directory. Epan provides the following APIs:

  • Protocol Tree. Dissection information for an individual packet.
  • Dissectors. The various protocol dissectors in epan/dissectors.
  • Dissector Plugins - Support for implementing dissectors as separate modules. Source code can be found in plugins.
  • Display Filters - The display filter engine at epan/dfilter.
The wiretap library is used to read and write capture files in libpcap, pcapng, and many other file formats. Source code is in the wiretap directory.
The interface to the capture engine. Source code is in the root directory.
The capture engine itself. This is the only part that executes with elevated privileges. Source code is in the root directory.
Npcap and libpcap
These are external libraries that provide packet capture and filtering support on different platforms. The filtering in Npcap and libpcap works at a much lower level than Wireshark’s display filters and uses a significantly different mechanism. That’s why there are different display and capture filter syntaxes.