- wtap
c
typedef struct wtap wtap;
/**
* Struct holding data of the currently read file.
*/
struct wtap {
FILE_T fh;
FILE_T random_fh; /**< Secondary FILE_T for random access */
gboolean ispipe; /**< TRUE if the file is a pipe */
int file_type_subtype;
guint snapshot_length;
GArray *shb_hdrs;
GArray *interface_data; /**< An array holding the interface data from pcapng IDB:s or equivalent(?)*/
guint next_interface_data; /**< Next interface data that wtap_get_next_interface_description() will show */
GArray *nrb_hdrs; /**< holds the Name Res Block's comment/custom_opts, or NULL */
GArray *dsbs; /**< An array of DSBs (of type wtap_block_t), or NULL if not supported. */
char *pathname; /**< File pathname; might just be "-" */
void *priv; /* this one holds per-file state and is free'd automatically by wtap_close() */
void *wslua_data; /* this one holds wslua state info and is not free'd */
subtype_read_func subtype_read;
subtype_seek_read_func subtype_seek_read;
void (*subtype_sequential_close)(struct wtap*);
void (*subtype_close)(struct wtap*);
int file_encap; /* per-file, for those
* file formats that have
* per-file encapsulation
* types rather than per-packet
* encapsulation types
*/
int file_tsprec; /* per-file timestamp precision
* of the fractional part of
* the time stamp, for those
* file formats that have
* per-file timestamp
* precision rather than
* per-packet timestamp
* precision
* e.g. WTAP_TSPREC_USEC
*/
wtap_new_ipv4_callback_t add_new_ipv4;
wtap_new_ipv6_callback_t add_new_ipv6;
wtap_new_secrets_callback_t add_new_secrets;
GPtrArray *fast_seek;
};
在 Wireshark 中,wtap 主要承担着抓包文件 I/O 接口的功能。它能够识别多种不同的抓包文件格式,并将这些文件中的内容转换为统一的格式以便于 Wireshark 解析使用。目前支持的抓包文件格式包括 libpcap、tcpdump、WinDump 等常见的类型,此外还可以直接从标准输入或套接字接收实时数据流。
除了抓包文件 I/O 功能外,wtap 还提供了诸如数据过滤、时间戳调整等功能,使用户可以更加方便地操作并分析网络数据包。正是由于 wtap 的强大性能和灵活特性,使其成为了 Wireshark 中不可或缺的核心组成部分之一。
- epan_t
c
/** A client will create one epan_t for an entire dissection session.
* A single epan_t will be used to analyze the entire sequence of packets,
* sequentially, in a single session. A session corresponds to a single
* packet trace file. The reasons epan_t exists is that some packets in
* some protocols cannot be decoded without knowledge of previous packets.
* This inter-packet "state" is stored in the epan_t.
*/
typedef struct epan_session epan_t;
struct epan_session {
struct packet_provider_data *prov; /* packet provider data for this session */
struct packet_provider_funcs funcs; /* functions using that data */
};
/*
* Packet provider for programs using a capture file.
*/
struct packet_provider_data {
wtap *wth; /* Wiretap session */
const frame_data *ref;
frame_data *prev_dis;
frame_data *prev_cap;
frame_data_sequence *frames; /* Sequence of frames, if we're keeping that information */
GTree *frames_modified_blocks; /* BST with modified blocks for frames (key = frame_data) */
};
/**
* Structure containing pointers to functions supplied by the user
* of libwireshark.
*/
struct packet_provider_funcs {
const nstime_t *(*get_frame_ts)(struct packet_provider_data *prov, guint32 frame_num);
const char *(*get_interface_name)(struct packet_provider_data *prov, guint32 interface_id);
const char *(*get_interface_description)(struct packet_provider_data *prov, guint32 interface_id);
wtap_block_t (*get_modified_block)(struct packet_provider_data *prov, const frame_data *fd);
};
epan_t 结构体则代表了整个 Wireshark 分析会话的状态。它包含了 epan_dissect_t 等多个关键结构体,并且提供了许多方便实用的接口来处理捕获的数据包、追踪协议状态等任务。
- epan_dissect_t
c
typedef struct epan_dissect epan_dissect_t;
/* Dissection of a single byte array. Holds tvbuff info as
* well as proto_tree info. As long as the epan_dissect_t for a byte
* array is in existence, you must not free or move that byte array,
* as the structures that the epan_dissect_t contains might have pointers
* to addresses in your byte array.
*/
struct epan_dissect {
struct epan_session *session;//关联epan_t
tvbuff_t *tvb;
proto_tree *tree;
packet_info pi;
};
epan_dissect_t 结构体包含了有关单个数据包的所有详细信息。它是一个指向包含原始数据包缓冲区(tvb)、协议树(tree)以及关于数据包和协议显示的各种相关信息(pi)的指针。
在进行网络数据包分析时,每个接收到的数据包都会创建一个 epan_dissect_t 结构体来进行详细的解码工作。同时,所有相关的 epan_dissect_t 结构体会共同构成一个全局的 epan_t 结构体,以反映当前 Wireshark 的分析状态。
因此可以说,epan_dissect_t 负责处理单个数据包的具体分析细节,而 epan_t 则负责在整个会话过程中协调和管理这些细节,使得 Wireshark 可以正确地进行复杂的网络数据包分析。
- packet_info
此结构体保存了一个数据包的基本信息,例如它的编号、长度、捕捉时间戳等等。这些信息通常会被显示在 Wireshark 窗口的表头部分。
c
typedef struct _packet_info {
const char *current_proto; /**< name of protocol currently being dissected */
struct epan_column_info *cinfo; /**< Column formatting information */
guint32 presence_flags; /**< Presence flags for some items */
guint32 num; /**< Frame number */
nstime_t abs_ts; /**< Packet absolute time stamp */
nstime_t rel_ts; /**< Relative timestamp (yes, it can be negative) */
frame_data *fd;
union wtap_pseudo_header *pseudo_header;
wtap_rec *rec; /**< Record metadata */
GSList *data_src; /**< Frame data sources */
address dl_src; /**< link-layer source address */
address dl_dst; /**< link-layer destination address */
address net_src; /**< network-layer source address */
address net_dst; /**< network-layer destination address */
address src; /**< source address (net if present, DL otherwise )*/
address dst; /**< destination address (net if present, DL otherwise )*/
guint32 vlan_id; /**< First encountered VLAN Id if present otherwise 0 */
const char *noreassembly_reason; /**< reason why reassembly wasn't done, if any */
gboolean fragmented; /**< TRUE if the protocol is only a fragment */
struct {
guint32 in_error_pkt:1; /**< TRUE if we're inside an {ICMP,CLNP,...} error packet */
guint32 in_gre_pkt:1; /**< TRUE if we're encapsulated inside a GRE packet */
} flags;
port_type ptype; /**< type of the following two port numbers */
guint32 srcport; /**< source port */
guint32 destport; /**< destination port */
guint32 match_uint; /**< matched uint for calling subdissector from table */
const char *match_string; /**< matched string for calling subdissector from table */
gboolean use_conv_addr_port_endpoints; /**< TRUE if address/port endpoints member should be used for conversations */
struct conversation_addr_port_endpoints* conv_addr_port_endpoints; /**< Data that can be used for address+port conversations, including wildcarding */
struct conversation_element *conv_elements; /**< Arbritrary conversation identifier; can't be wildcarded */
guint16 can_desegment; /**< >0 if this segment could be desegmented.
A dissector that can offer this API (e.g.
TCP) sets can_desegment=2, then
can_desegment is decremented by 1 each time
we pass to the next subdissector. Thus only
the dissector immediately above the
protocol which sets the flag can use it*/
guint16 saved_can_desegment; /**< Value of can_desegment before current
dissector was called. Supplied so that
dissectors for proxy protocols such as
SOCKS can restore it, allowing the
dissectors that they call to use the
TCP dissector's desegmentation (SOCKS
just retransmits TCP segments once it's
finished setting things up, so the TCP
desegmentor can desegment its payload). */
int desegment_offset; /**< offset to stuff needing desegmentation */
#define DESEGMENT_ONE_MORE_SEGMENT 0x0fffffff
#define DESEGMENT_UNTIL_FIN 0x0ffffffe
guint32 desegment_len; /**< requested desegmentation additional length
or
DESEGMENT_ONE_MORE_SEGMENT:
Desegment one more full segment
(warning! only partially implemented)
DESEGMENT_UNTIL_FIN:
Desgment all data for this tcp session
until the FIN segment.
*/
guint16 want_pdu_tracking; /**< >0 if the subdissector has specified
a value in 'bytes_until_next_pdu'.
When a dissector detects that the next PDU
will start beyond the start of the next
segment, it can set this value to 2
and 'bytes_until_next_pdu' to the number of
bytes beyond the next segment where the
next PDU starts.
If the protocol dissector below this
one is capable of PDU tracking it can
use this hint to detect PDUs that starts
unaligned to the segment boundaries.
The TCP dissector is using this hint from
(some) protocols to detect when a new PDU
starts in the middle of a tcp segment.
There is intelligence in the glue between
dissector layers to make sure that this
request is only passed down to the protocol
immediately below the current one and not
any further.
*/
guint32 bytes_until_next_pdu;
int p2p_dir; /**< Packet was captured as an
outbound (P2P_DIR_SENT)
inbound (P2P_DIR_RECV)
unknown (P2P_DIR_UNKNOWN) */
GHashTable *private_table; /**< a hash table passed from one dissector to another */
wmem_list_t *layers; /**< layers of each protocol */
wmem_map_t *proto_layers; /** map of proto_id to curr_proto_layer_num. */
guint8 curr_layer_num; /**< The current "depth" or layer number in the current frame */
guint8 curr_proto_layer_num; /**< The current "depth" or layer number for this dissector in the current frame */
guint16 link_number;
guint16 clnp_srcref; /**< clnp/cotp source reference (can't use srcport, this would confuse tpkt) */
guint16 clnp_dstref; /**< clnp/cotp destination reference (can't use dstport, this would confuse tpkt) */
int link_dir; /**< 3GPP messages are sometime different UP link(UL) or Downlink(DL) */
gint16 src_win_scale; /**< Rcv.Wind.Shift src applies when sending segments; -1 unknown; -2 disabled */
gint16 dst_win_scale; /**< Rcv.Wind.Shift dst applies when sending segments; -1 unknown; -2 disabled */
GSList* proto_data; /**< Per packet proto data */
GSList* dependent_frames; /**< A list of frames which this one depends on */
GSList* frame_end_routines;
wmem_allocator_t *pool; /**< Memory pool scoped to the pinfo struct */
struct epan_session *epan;
const gchar *heur_list_name; /**< name of heur list if this packet is being heuristically dissected */
} packet_info;
- proto_tree
这是一个二叉树结构,用于描述数据包中各个层次的协议字段。每当遇到一个新的协议层时,就会在树中添加一个新的节点,并将其子节点用于描述该协议层下的各个字段。
c
/** Each proto_tree, proto_item is one of these. */
typedef struct _proto_node {
struct _proto_node *first_child;
struct _proto_node *last_child;
struct _proto_node *next;
struct _proto_node *parent;
field_info *finfo;
tree_data_t *tree_data;
} proto_node;
/** A protocol tree element. */
typedef proto_node proto_tree;
- proto_item
这是 proto_tree 的叶子节点,用于表示具体的协议字段。它可以包含该字段的相关信息,如名称、值、长度等。当用户查看或搜索某个特定字段时,就会通过这个结构体找到相关的信息。
c
/** A protocol item element. */
typedef proto_node proto_item;
- field_info
此结构体定义了一个字段的属性,包括它的类型、长度、标签等。在对数据包进行解码时,Wireshark 就会根据这些属性信息来确定如何解析相应的字段值。
c
/** Contains the field information for the proto_item. */
typedef struct field_info {
header_field_info *hfinfo; /**< pointer to registered field information */
gint start; /**< current start of data in field_info.ds_tvb */
gint length; /**< current data length of item in field_info.ds_tvb */
gint appendix_start; /**< start of appendix data */
gint appendix_length; /**< length of appendix data */
gint tree_type; /**< one of ETT_ or -1 */
guint32 flags; /**< bitfield like FI_GENERATED, ... */
item_label_t *rep; /**< string for GUI tree */
tvbuff_t *ds_tvb; /**< data source tvbuff */
fvalue_t value;
int total_layer_num; /**< Hierarchical layer number, for all protocols in the tree. */
int proto_layer_num; /**< Protocol layer number, so 1st, 2nd, 3rd, ... for protocol X. */
} field_info;