Wireshark-dev: Re: [Wireshark-dev] Wireshark API/packet "trace"

From: dest <dest@xxxxxxx>
Date: Sat, 06 Mar 2010 19:05:48 -0500

On 3/5/2010 2:04 PM, Guy Harris wrote:
>
> On Mar 4, 2010, at 1:05 PM, Shawn Mayer wrote:
>
>> Where is the Wireshark API/code documentation located?
>
> Some of it is in the "doc" directory in the source code, in a bunch of
README.* files.
>
> The rest of it is scattered in the source tree, in a bunch of .c and .h
files. :-)

Thanks, I'll take a look.

>
>> Also is it described anywhere of what happens to a packet as it is
captured 
>> (basically how it traverses the code?)
>
> As it is captured, or as it is dissected?
>
> "As it is captured" is, at least in part, OS-dependent.  Packets are
initially processed by a mechanism running in kernel mode; it's built into
the OS in UN*Xes (BPF, PF_PACKET sockets, DLPI, etc.), and provided as a
driver with WinPcap on Windows.  Then it's received by libpcap/WinPcap,
which hands them to the application - dumpcap, in this case - and then
written to a file, which Wireshark/TShark read.

The goal of my project is to write a plugin for Wireshark that compiles the
AIM conversations occurring on a network using APR Poisoning by Cain in the
background in order to demonstrate privacy concerns for a senior project.
>From your explanation I think as it is dissected would be of more use. I
only require the information that is displayed by the "Aim Messaging"
protocol and the source and destination IP addresses. Once I figure out how
to pull that information into my plugin I can then group the messages into
conversations, ect.Thanks for the assistance.
>
___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>