1. 函数调用

//初始化wtap、epan、wslog等，获取网卡
int
main(int argc, char *argv[])
//libpcap收包模式入口
static gboolean
capture(void)
//创建子进程：调用dumpcap将lipcap抓的包写入PIPE
//注册PIPE读端回调函数pipe_fd_cb
gboolean
sync_pipe_start(capture_options *capture_opts, GPtrArray *capture_comments,capture_session *cap_session, info_data_t* cap_data,void (*update_cb)(void))
//PIPE读端回调函数                
static gboolean               
pipe_fd_cb(gint fd, GIOCondition condition _U_, gpointer user_data)        
/* There's stuff to read from the sync pipe, meaning the child has sentus a message, or the sync pipe has closed, meaning the child hasclosed it (perhaps because it exited). */
static gboolean
sync_pipe_input_cb(gint source, gpointer user_data)        
/* capture child tells us we have new packets to read */
static void
capture_input_new_packets(capture_session *cap_session, int to_read)
//处理一个packet
static gboolean
process_packet_single_pass(capture_file *cf, epan_dissect_t *edt, gint64 offset,wtap_rec *rec, Buffer *buf, guint tap_flags)
//调用dissect_record解析数据包        
void
epan_dissect_run_with_taps(epan_dissect_t *edt, int file_type_subtype,wtap_rec *rec, tvbuff_t *tvb, frame_data *fd,column_info *cinfo)   
/* Creates the top-most tvbuff and calls dissect_frame() */
void
dissect_record(epan_dissect_t *edt, int file_type_subtype,wtap_rec *rec, tvbuff_t *tvb, frame_data *fd, column_info *cinfo)