NAME¶

extcap - The external capture interface

DESCRIPTION¶

The extcap (external capture) interface is a versatile plugin interface that allows external binaries to act as capture interfaces directly in Wireshark. It is used in scenarios, where the source of the capture is not a traditional capture model (live capture from an interface, from a pipe, from a file, etc). The typical example is connecting esoteric hardware of some kind to the main Wireshark application.

Without extcap, a capture can always be achieved by directly writing to a capture file:

the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
wireshark dumpfile.pcap

but the extcap interface allows for such a connection to be easily established and configured using the Wireshark GUI.

The extcap subsystem is made of multiple extcap binaries that are automatically called by the GUI in a row. In the following chapters we will refer to them as "the extcaps".

Extcaps may be any binary or script within the extcap/wireshark or extcap/stratoshark directories. Please note that scripts need to be executable without prefacing a script interpreter before the call.

WINDOWS USERS: Because of restrictions directly calling the script may not always work. In such a case, a batch file may be provided, which then in turn executes the script. Please refer to doc/extcap_example.py for more information.

When Wireshark launches an extcap, it automatically adds its installation path (normally C:\Program Files\Wireshark\) to the DLL search path so that the extcap library dependencies can be found (it is not designed to be launched by hand). This is done on purpose. There should only be extcap programs (executables, Python scripts, ...) in the extcap folder to reduce the startup time and not have Wireshark trying to execute other file types.

GRAMMAR ELEMENTS¶

Grammar elements:

arg (options)

number

call

display

default

range

type

integer
unsigned
long (may include scientific / special notation)
double
string (display a textbox)
selector (display selector table, all values as strings)
editselector (selector table which can be overridden, all values as strings)
boolean (display checkbox)
booleanflag (display checkbox)
radio (display group of radio buttons with provided values, all values as strings)
fileselect (display a dialog to select a file from the filesystem, value as string)
multicheck (display a textbox for selecting multiple options, values as strings)
table (display a table that is populated by the user, selections can be configured, values as commandlines arguments)
password (display a textbox with masked text)
timestamp (display a calendar)

value (options)

Values for argument selection
arg     Argument # this value applies to

EXAMPLES¶

Example 1:

arg {number=0}{call=--channel}{display=Wi-Fi Channel}{type=integer}{required=true}
arg {number=1}{call=--chanflags}{display=Channel Flags}{type=radio}
arg {number=2}{call=--interface}{display=Interface}{type=selector}
value {arg=0}{range=1,11}
value {arg=1}{value=ht40p}{display=HT40+}
value {arg=1}{value=ht40m}{display=HT40-}
value {arg=1}{value=ht20}{display=HT20}
value {arg=2}{value=wlan0}{display=wlan0}

Example 2:

arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
value {arg=0}{call=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}
value {arg=0}{call=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}

Example 3:

arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
arg {number=1}{call=--server}{display=IP address for log server}{type=string}{validation=(?:\d{1,3}\.){3}\d{1,3}}
flag {failure=Permission denied opening Ubertooth device}

Example 4:

arg {number=0}{call=--username}{display=Username}{type=string}
arg {number=1}{call=--password}{display=Password}{type=password}

Example 5: timestamp

arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
arg {number=1}{call=--end}{display=End Time}{type=timestamp}

Example 6: multicheck

arg {number=0}{call=--device}{display=Device}{type=multicheck}
value {arg=0}{value=USBDEV}{display=USB devices}{enabled=false}
value {arg=0}{value=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}{parent=USBDEV}
value {arg=0}{value=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}{parent=USBDEV}
value {arg=0}{value=PCIDEV}{display=PCI devices}{enabled=false}
value {arg=0}{value=/sys/devices/pci123}{display=Device 1}{parent=PCIDEV}
value {arg=0}{value=/sys/devices/pci456}{display=Device 2}{parent=PCIDEV}

TABLE FIELD¶

The "table" field is a bit different, in that its values can have additional configuration options. The values can either be entered manually by the user, or a list of available values can be provided using the same API as "multicheck". Unlike most APIs, the value is provided using a commandline-like API, separated by spaces instead of comas. For instance, a configured "myparam" attribute where the user selected three values (1, 2 and 3) would receive:

--myparam "1 2 3"

If a "prefix" is configured to be "--p", it would receive the following:

--myparam "--p 1 --p 2 --p 3"

The values selected in a table field may have specific configuration options, if "configurable=true" for the "multicheck" field. In this case, the extcap will be called again when the user presses the configuration wheel that matches a value in the table, with the additional "--extcap-config-option-name <option_name> --extcap-config-option-value <option_value>" with no prefix. An extcap program should respond with an additional set of arguments, which will be opened in a popup. Once those are configured, the extcap might get the following, assuming for instance that an additional "param1" is requested when value is 1, and "param2" when value is 2.

--myparam "--p 1 --param1 1 --p 2 --param2 true --p 3"

SECURITY CONSIDERATIONS¶

SEE ALSO¶

wireshark(1), tshark(1), dumpcap(1), androiddump(1), sshdig(1), sshdump(1), randpktdump(1)

NOTES¶

Extcap is feature of Wireshark. The latest version of Wireshark can be found at <https://www.wireshark.org>.

HTML versions of the Wireshark project man pages are available at <https://www.wireshark.org/docs/man-pages>.