Netdude's Architecture

This chapter describes Netdude's architecture. It is intended to give you a better understanding of what is going on under the hood, particularly if you consider extending Netdude by contributing a plugin.

Starting with the 0.4 release, Netdude's architecture has become much more modularized. There is now a clear separation of packet manipulation and GUI functionality. The following diagram illustrates this:

At the very bottom sits libpcap, as its functionality is of course used to understand trace files in general. It is rarely used directly; rather, libpcapnav is commonly used. It provides a thin wrapper around libpcap and introduces an API to allow trace file navigation (i.e., the ability to jump to arbitrary locations in the trace, specified using timestamps or fractional offsets). It is based on Vern Paxson's tcpslice tool and has been improved to be more robust, although it does take a little (normally unnoticeable) bit longer to synchronize with the packet stream at a new location in a trace.

The next layer is the heart of the system: libnetdude, the packet manipulation component. libnetdude provides data structures and APIs to create and manipulate arbitrarily large traces, packets, trace parts, trace navigation, protocols, tcpdump output, and packet filters. Individual protocol support is provided through plugins, implemented as dynamically loaded shared libraries. These plugins serve the purpose of structuring raw packet data. libnetdude initializes packets as much as the installed protocol plugins allow, augmenting each packet with information about the nesting structure of the protocols contain in the packet's raw data. This makes it easy to obtain, say, the TCP headers of a packet. libnetdude also provides the infrastructure for feature plugins; those are plugins that encapsulate arbitrary packet manipulation modules and make them accessible to other developers through a common interface. libnetdude can also associate open trace files with a tcpdump process that can be used to obtain tcpdump output for individual packets. Please refer to libnetdude's documentation for more details.

Finally, the Netdude application is primarily a GUI front end to libnetdude and libpcapnav. Events in libnetdude such as packet insertions & deletions, packet filtering, filter installation, saving a trace to disk, etc. are passed up to Netdude using an observer/observee pattern — Netdude registers observers with libnetdude that pass packet and trace events up to the front end. Netdude also mirrors libnetdude's plugin system at the GUI level: developers can contribute GUI feature and protocol plugins that provide dialogs to access external code and display protocol data, respectively.