The following will give you a simplified overview of Wireshark’s function blocks:
The function blocks in more detail:
- GUI
- Handling of all user input/output (all windows, dialogs and such). Source code can be found in the ui/qt directory.
- Core
- Main "glue code" that holds the other blocks together. Source code can be found in the root directory.
- Epan
-
Enhanced Packet ANalyzer — the packet analyzing engine. Source code can be found in the epan directory. Epan provides the following APIs:
- Protocol Tree. Dissection information for an individual packet.
- Dissectors. The various protocol dissectors in epan/dissectors.
- Dissector Plugins - Support for implementing dissectors as separate modules. Source code can be found in plugins.
- Display Filters - The display filter engine at epan/dfilter.
- Wiretap
- The wiretap library is used to read and write capture files in libpcap, pcapng, and many other file formats. Source code is in the wiretap directory.
- Capture
- The interface to the capture engine. Source code is in the root directory.
- Dumpcap
- The capture engine itself. This is the only part that executes with elevated privileges. Source code is in the root directory.
- Npcap and libpcap
- These are external libraries that provide packet capture and filtering support on different platforms. The filtering in Npcap and libpcap works at a much lower level than Wireshark’s display filters and uses a significantly different mechanism. That’s why there are different display and capture filter syntaxes.