The following will give you a simplified overview of Wireshark's function blocks:
The function blocks in more detail:
-
GTK 1/2
-
Handling of all user input/output (all windows, dialogs and such).
Source code can be found in the gtk directory.
-
Core
-
Main "glue code" that holds the other blocks together. Source
code can be found in the root directory.
-
Epan
-
Ethereal Packet ANalyzer (XXX - is this correct?) the packet
analyzing engine. Source code can be found in the
epan directory.
-
Protocol-Tree - Keep data of the capture file protocol information.
-
Dissectors - The various protocol dissectors in
epan/dissectors.
-
Plugins - Some of the protocol dissectors are implemented as plugins. Source
code can be found at plugins.
-
Display-Filters - the display filter engine at
epan/dfilter.
-
Capture
-
Capture engine.
-
Wiretap
-
The wiretap library is used to read/write capture files in libpcap
and a lot of other file formats. Source code in the
wiretap directory.
-
Win-/libpcap (not part of the Wireshark package)
-
The platform dependent packet capture library, including the capture
filter engine. That's the reason why we still have different display
and capture filter syntax, as two different filtering engines are used.
