1// WSUG Appendix How it Works 2 3[[AppHowItWorks]] 4 5[appendix] 6== How Wireshark Works 7 8When using such a complex program like Wireshark, it’s sometimes useful to 9understand the mechanisms and concepts behind the surface. This is an approach 10to shed some light on the inner workings of Wireshark. 11 12=== Program start 13 14When Wireshark starts, a lot of things are done: 15 16* Initialize the dissectors (register the protocol tree), including plugins 17 18* Load and set values from the preferences file 19 20* Load the capture filters from the cfilters file 21 22* Load the display filters from the dfilters file 23 24* Load and set the disabled protocols from the disabled_protos file 25 26* Init libpcap/Npcap (the capturing engine) 27 28* Process command line parameters 29 30* Load and set the recently used GUI settings from the recent file 31 32* Init and show the main screen 33 34* If specified by command line, load a capture file or start capturing 35 36=== Protocol dissectors 37 38Each protocol has its own protocol dissector. When processing network data, 39Wireshark calls the dissector that seems relevant to the packet data. The 40dissector will then process the packet data and send any unprocessed data 41back to Wireshark for further dissection. 42 43So Wireshark will dissect a packet from the lowest to the highest protocol 44layers. 45 46But how does Wireshark know which dissector to use? 47 48When Wireshark starts each dissector registers itself in one of two ways: 49 50* _Static_. If the dissector knows a specific value of a lower layer, it can 51 directly register itself there (e.g. the HTTP dissector “knows”, that 52 typically the well known TCP port 80 is used to transport HTTP data). 53 54* _Heuristic_. If no such well known way exists, the dissector 55 can register itself for the heuristic mechanism. If a lower layer dissector 56 has to handle some packet data where no well known way exists, it can 57 handover the packet to Wireshark’s heuristic mechanism. This will ask all 58 registered upper layer dissectors, if they “like” that data. These 59 dissectors typically look at the first few bytes of the packet, to see if they 60 contain some characteristic data of that protocol and then 61 decide whether or not to dissect that packet. 62 63Let’s look at an example. We’ll assume, Wireshark loads a TCP/IP/Ethernet 64packet. Wireshark will call the Ethernet dissector, which will dissect the 65Ethernet related data (usually the first 6 + 6 + 2 bytes). The Ethernet 66dissector then passes the rest of the data back to Wireshark. 67Wireshark in turn will call the next related dissector, in our case the IP 68dissector (because of the value 0x800 in the Ethernet type field). This 69will continue until no more data has to be dissected, or the data is 70unknown to Wireshark. 71 72You can control the way Wireshark calls its dissectors, see 73<<ChAdvProtocolDissectionSection>> for details. 74 75// End of WSUG Appendix How it Works 76