This wiki has been migrated to and is now deprecated. Please use that site instead.

"The extcap interface is a versatile plugin interface that allows external binaries to act as capture interfaces directly in wireshark. It is used in scenarios, where the source of the capture is not a traditional capture model (live capture from an interface, from a pipe, from a file, etc)." -- doc/README.extcap (Now in 8.2. Extcap: Developer Guide )

This page aims to help discussion the development of extcap internals.


(Should probably be filled in bugzilla, but this keeps it in one overview.) All extcap bugs:

Issue: Slow discovery, interfaces list cannot be configured

Even if you capture from a local interface (cf. tshark -i lo), it will invoke all extcap helpers (twice) according to strace. I have not checked yet with the GUI, but it will probably be worse.

Ideas (suggestions):

Alternatively, we could impose restrictions on the filename and require a certain pattern (*dump[.ext]) which makes it even faster.

Current flow

Based on doc/README.extcap (8.2. Extcap: Developer Guide), for all extcap binaries in the extcap directory:

  1. Discover version and interfaces: --extcap-interfaces

  2. Find DLTs for interface: --extcap-interface IFACE --extcap-dlts

  3. Configuration options (for UI): --extcap-interface IFACE --extcap-config

  4. (on start capture) Start capture: --extcap-interface IFACE [params] --capture [--extcap-capture-filter CFILTER] --fifo FIFO

New flow

For all extcap binaries:

  1. Discover version, identifiers and possible parameters to influence discovery (e.g. SSH host, Android serial)

Question - What should be displayed for androiddump after just printing the utility? There can be anywhere up to 10 connections for androiddump alone, without known which to use.

For each extcap binary and a given parameters (for discovery with tshark -D or in the GUI):

  1. Find extcap interfaces ("eth0", "eth1" -> "", ""). (NOTE: depends on prior configuration of parameters as needed)

  2. Find interface-specific options (XXX do these exist now that the parameter is part of the interface name?)
  3. (on start capture) Start capture with given options.

    I do not really get the need for "". This will clutter up the list way more and does not really help in reducing the number of interfaces, nor discovery (as it simply does not discover anything in any way). The real issue here are utilites like androiddump, which need to scan during bootup for interfaces and their capabilities. But this is a question on when this scan happens and how it is handled. It has to be done during each bootup and only the utility knows how and when it is being done. extcap cannot mandate nor influence how this scan or when this scan may happen. What can be done is first scanning for possible extcaps and delaying the actual query of interfaces, until after the GUI has finished loading. That way, the GUI loads fast, but only if we actually want to start a trace, the interface list will be loaded for that specific extcap.


How feasible is it to execute a program and communicate over a pipe? This also avoids leaking passwords in the process list and allows some expensive state to be kept.

Answer: The idea behind extcap utilities is to provide an existing utility and expand it's capabilities to directly send traces to wireshark. I agree, that for sshdump this opens up a security consideration, but this can be resolved by using an identity file for ssh/ciscodump.

Development/Extcap (last edited 2020-05-07 03:24:31 by ChuckCraft)