This is a static archive of our old Q&A Site. Please post any new questions and answers at

Wireshark Development Approach For starters



I just completed a course in "C on Linux", Data Structures, Linux user space programming and Linux Device Drivers. Now I find myself a little confused and in the middle of nowhere. I would like to learn & make tools such as Wireshark (I understand its a very complex tool with years of man hours effort gone into it...but all newbies have to start somewhere :-) )

So my dilemma is as follows :

  • To learn to develop a tool like Wire shark do I need to focus on "user space" programming -APIs and protocols or I need to focus on Linux Internals, Linux Kernel Network Internals & Linux Kernel programming as well

  • If I need to focus on Linux Internals, Network Internals & Kernel programming as well then what do developers do when they deal with "Windows" as its a closed source software. Don't developers face challenges when working with Windows in the absence of windows source code.

  • lastly, I can learn about protocols such as TCP/IP (and functions & APIs) using "unix socket programming" book but I do I learn about other protocols and the APIs they extend

PS: Kindly do answer these questions as I am confused at the moment. I am trying to look for answers n google too.

Thanks !

asked 14 Aug '15, 01:00

Monu's gravatar image

accept rate: 0%

3 Answers:

  1. Start with user space programming
  2. There's all kinds of technical info available, even for Windows
  3. Look at RFCs

Here a list of resources you can pull information from:

answered 14 Aug '15, 01:53

Jaap's gravatar image

Jaap ♦
accept rate: 14%


Wireshark is a userspace program, and as all such applications it will make use of system\kernel APIs to run. note Wireshark isn't limited to Linux, but runs on multiple platforms.

Wireshark is a packet analyser, it allows you to analyze traffic made by other applications but has very little internal involvement with network programming as such.

answered 14 Aug '15, 01:56

grahamb's gravatar image

grahamb ♦
accept rate: 22%


The level of knowledge needed depends on what you want to, to write a protocol dissector for a simple protocol with no reassembly is a pretty trivial task that could be done with basic programing skills just using Wiresharks APIs(copy paste from other similar dissectors).

More advanced dissectors require deeper knowledge about the protocol and Wiresharks APIs to do complex operations like reassembly hash maps conversations that may be needed to present the protocol PDUs.

Decryption requires some knowledge about cryptography and how to use the crypto libraries.

Doing GUI work requires Qt/GTK knowledge.

Work on the dissection engine requires a deeper knowledge of Wireshark internals and more advanced programing skills.

Working on the capturing part and libpcap may requre a deeper knowledge of various OSes network stack and kernel inner workings

So it all depends on what your goal is and how much time you are prepared to put in.

(14 Aug '15, 03:52) Anders ♦

Sorry to bother again. I have been going through all the stuff listed as above. The work load looks enormous,intimidating and indecipherable.

In the bigger scheme of things I would want to dissect protocols (work on dissection engine).

Is there a road map that I could follow perhaps a set of small projects that will gradually help me build up my knowledge base gradually over a period of time for example (A.) which simple protocol should I pick up first to Analyze (B.) what resources/RFCs should I read etc

I am not expecting to be spoon fed but just seeking a direction and some help so that i don't get lost in this technical maze

Thanks Again for taking time out !

(14 Aug '15, 07:07) Monu


Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

For writing dissectors you could look at my presentation for SharkFest on writing a Dissector, although you'll probably be interested in just the C part.

Finding a protocol that isn't yet dissected by Wireshark is quite hard, for my presentation I created one, and writing the server and client for your own protocol would be a good introduction to network programming itself.

One way to start with coding and Wireshark is to look at bugs on the Wireshark Bugzilla, pick one that seems to make sense to you and have a go. Ask on the Wireshark dev mailing list if things aren't clear on a particular bug. You also must read the fine documentation that @Jaap listed, in particular the Developers Guide and README.dissector.

(14 Aug '15, 07:30) grahamb ♦


Now I find myself a little confused and in the middle of nowhere. I would like to learn & make tools such as Wireshark (I understand its a very complex tool with years of man hours effort gone into it...but all newbies have to start somewhere :-) )

Whireshark is way too complex to start with after a C programming course. I guess you don't have much programming experience, so you should look at a task that is achievable in a certain amount of time. If you are interesting in network sniffer, you should probably first start with a libpcap tutorial ( That should teach you:

  • more C coding (hopefully)
  • a better understanding of network capturing techniques
  • the structure of a pcap file
  • how to write a small network sniffer

After you've done that, you can start with more advanced tasks, like trying to re-write a dissector for an already existing protocol, like SMTP or something similar, obviously without looking at the existing code ;-)).


answered 15 Aug '15, 02:37

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%