nexmon – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | This document is an attempt, to bring some light to the things done, when |
| 2 | packet capturing is performed. There might be things missing, and others |
||
| 3 | maybe wrong :-( The following will concentrate a bit on the win32 gtk |
||
| 4 | port of wireshark. |
||
| 5 | |||
| 6 | |||
| 7 | XXX: when ongoing file reorganization will be completed, the following |
||
| 8 | two lists maybe won't be needed any longer! |
||
| 9 | |||
| 10 | libpcap related source files: |
||
| 11 | ----------------------------- |
||
| 12 | capture-pcap-util.c |
||
| 13 | capture-pcap-util.h |
||
| 14 | capture-pcap-util-int.h |
||
| 15 | capture-pcap-util-unix.c |
||
| 16 | capture-wpcap.c |
||
| 17 | capture-wpcap.h |
||
| 18 | capture_wpcap_packet.c |
||
| 19 | capture_wpcap_packet.h |
||
| 20 | |||
| 21 | Capture related source files: |
||
| 22 | ----------------------------- |
||
| 23 | capture.c |
||
| 24 | capture.h |
||
| 25 | capture_loop.c |
||
| 26 | capture_loop.h |
||
| 27 | capture_opts.c |
||
| 28 | capture-stop-conditions.c |
||
| 29 | capture-stop-conditions.h |
||
| 30 | capture_sync.c |
||
| 31 | capture_ui_utils.c |
||
| 32 | capture_ui_utils.h |
||
| 33 | conditions.c (XXX: is conditions generic or capture specific?) |
||
| 34 | conditions.h |
||
| 35 | |||
| 36 | |||
| 37 | Capture driver |
||
| 38 | -------------- |
||
| 39 | Wireshark doesn't have direct access to the capture hardware. Instead of this, |
||
| 40 | it uses the Libpcap/Winpcap library to capture data from network cards. |
||
| 41 | |||
| 42 | On Win32, in capture-wpcap.c the function ws_module_open("wpcap.dll") is called |
||
| 43 | to load the wpcap.dll. This dll includes all functions needed for |
||
| 44 | packet capturing. |
||
| 45 | |||
| 46 | |||
| 47 | |||
| 48 | Capture File |
||
| 49 | ------------ |
||
| 50 | There are some kinds of targets to put the capture data into: |
||
| 51 | |||
| 52 | -temporary file |
||
| 53 | -user specified "single" capture file |
||
| 54 | -user specified "ringbuffer" capture file |
||
| 55 | |||
| 56 | Which kind of file is used depends on the user settings. In principle there |
||
| 57 | is no difference in handling these files, so if not otherwise notified, |
||
| 58 | it will be called the capture file. |
||
| 59 | |||
| 60 | The capture file is stored, using the wiretap library. |
||
| 61 | |||
| 62 | |||
| 63 | Overview |
||
| 64 | -------- |
||
| 65 | Capturing is done using a two task model: the currently running (parent) |
||
| 66 | process will spawn a child process to do the real capture work, namely |
||
| 67 | controlling libpcap. This two task model is used because it's necessary |
||
| 68 | to split the capturing process (which should avoid packet drop) from the parent |
||
| 69 | process which might need significant time to display the data. |
||
| 70 | |||
| 71 | When a capture is started, the parent builds a "command line" and creates a |
||
| 72 | new child process with it. A pipe from the child to the parent is created |
||
| 73 | which is used to transfer control messages. |
||
| 74 | |||
| 75 | The child will init libpcap and send the parent a "new capture file is used" |
||
| 76 | control message through the pipe. |
||
| 77 | |||
| 78 | The child cyclically takes the packet data from libpcap and saves it to disk. |
||
| 79 | From time to time it will send the parent a "new packets" control message. |
||
| 80 | |||
| 81 | If the parent process receives this "new packets" message and the option |
||
| 82 | "Update list of packets in real time" is used, it will read the packet data |
||
| 83 | from the file, dissect and display it. |
||
| 84 | |||
| 85 | |||
| 86 | If the user wants to stop the capture, this can be done in two ways: by |
||
| 87 | menu/toolbar of the parent process or the Stop button of the child processes |
||
| 88 | dialog box (which obviously cannot be used it this dialog is hidden). |
||
| 89 | |||
| 90 | The Stop button will stop the capture itself, close the control pipe and then |
||
| 91 | closes itself. The parent will detect this and stop its part of the capture. |
||
| 92 | |||
| 93 | If the menu/toolbar is used, the parent will send a break signal to the child |
||
| 94 | which will lead to the same sequence as described above. |
||
| 95 | |||
| 96 | Win32 only: as the windows implementation of signals simply doesn't work, |
||
| 97 | another pipe from the parent to the child is used to send a "close capture" |
||
| 98 | message instead of a signal. |
||
| 99 | |||
| 100 | |||
| 101 | Start capture |
||
| 102 | ------------- |
||
| 103 | A capture is started, by specifying to start the capture at the command line, |
||
| 104 | trigger the OK button in the "Capture Options" dialog box and some more. The |
||
| 105 | capture start is actually done by calling the capture_start() function in |
||
| 106 | capture.c. |
||
| 107 | |||
| 108 | |||
| 109 | Capture child (Loop) |
||
| 110 | -------------------- |
||
| 111 | The capture child will open the target capture file, prepare pcap things, |
||
| 112 | init stop conditions, init the capture statistic dialog (if not hidden) and |
||
| 113 | start a loop which is running until the flag ld.go is FALSE. |
||
| 114 | |||
| 115 | Inside this loop, |
||
| 116 | |||
| 117 | -gtk main things are updated |
||
| 118 | -pcap_dispatch(capture_pcap_cb) is called |
||
| 119 | -the capture stop conditions are checked (ld.go is set to FALSE to finish) |
||
| 120 | -update the capture statistic dialog (if not hidden) |
||
| 121 | |||
| 122 | While this loop is running, the pcap_dispatch() will call capture_pcap_cb() |
||
| 123 | for every packet captured. Inside this, the packet data is converted into |
||
| 124 | wtap (wiretap) format and saved to file. Beside saving, it is trying to |
||
| 125 | do some basic dissecting (for the statistic window), by calling the |
||
| 126 | appropriate capture_xxx function. |
||
| 127 | |||
| 128 | When the user triggered a capture stop or one of the capture stop conditions |
||
| 129 | matched, the ld.go flag is set to FALSE, and the loop will stop shortly after. |
||
| 130 | |||
| 131 | |||
| 132 | Capture parent |
||
| 133 | -------------- |
||
| 134 | In the capture parent the cap_pipe_input_cb() function is called "cyclically" |
||
| 135 | (unix:waiting for pipe, win32:timer,1000ms) to read data from the pipe and show |
||
| 136 | it on the main screen. While the capture is in progress, no other capture file |
||
| 137 | can be opened. |
||
| 138 | |||
| 139 | |||
| 140 | Updating |
||
| 141 | -------- |
||
| 142 | The actual packet capturing inside the libpcap is done using its own task. |
||
| 143 | Catching and processing the packet data from the libpcap is done using the |
||
| 144 | pcap_dispatch() function. |