2021-10-19 23:26:37 +00:00
include::../docbook/attributes.adoc[]
2021-06-18 10:20:51 +00:00
= extcap(4)
:doctype: manpage
:stylesheet: ws.css
:linkcss:
:copycss: ../docbook/{stylesheet}
2018-08-17 18:34:57 +00:00
2021-06-18 10:20:51 +00:00
== NAME
2014-02-25 13:05:11 +00:00
2016-12-09 10:44:11 +00:00
extcap - The extcap interface
2014-02-25 13:05:11 +00:00
2021-06-18 10:20:51 +00:00
== DESCRIPTION
2015-04-08 14:09:03 +00:00
2016-12-09 10:44:11 +00:00
The extcap interface is a versatile plugin interface that allows external binaries
2020-02-12 10:52:25 +00:00
to act as capture interfaces directly in Wireshark. It is used in scenarios, where
2016-12-09 10:44:11 +00:00
the source of the capture is not a traditional capture model
(live capture from an interface, from a pipe, from a file, etc). The typical
2020-02-12 10:52:25 +00:00
example is connecting esoteric hardware of some kind to the main Wireshark application.
2016-12-09 10:44:11 +00:00
Without extcap, a capture can always be achieved by directly writing to a capture file:
the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
wireshark dumpfile.pcap
but the extcap interface allows for such a connection to be easily established and
2020-02-12 10:52:25 +00:00
configured using the Wireshark GUI.
2016-12-09 10:44:11 +00:00
The extcap subsystem is made of multiple extcap binaries that are automatically
called by the GUI in a row. In the following chapters we will refer to them as
"the extcaps".
Extcaps may be any binary or script within the extcap directory. Please note, that scripts
2019-06-09 12:06:00 +00:00
need to be executable without prefacing a script interpreter before the call.
2016-12-09 10:44:11 +00:00
2022-07-29 21:27:04 +00:00
WINDOWS USERS: Because of restrictions directly calling the script may not always work.
2016-12-09 10:44:11 +00:00
In such a case, a batch file may be provided, which then in turn executes the script. Please
refer to doc/extcap_example.py for more information.
2022-08-07 19:21:26 +00:00
When Wireshark launches an extcap, it automatically adds its installation path (normally _C:\Program Files\Wireshark\_) to the DLL search path so that the extcap library dependencies can be found (it is not designed to be launched by hand).
This is done on purpose. There should only be extcap programs (executables, Python scripts, ...) in the extcap folder to reduce the startup time and not have Wireshark trying to execute other file types.
2019-06-09 12:06:00 +00:00
2021-06-18 10:20:51 +00:00
== GRAMMAR ELEMENTS
2016-12-09 10:44:11 +00:00
2015-04-08 14:09:03 +00:00
Grammar elements:
2021-06-18 10:20:51 +00:00
arg (options)::
2015-04-08 14:09:03 +00:00
argument for CLI calling
2021-06-18 10:20:51 +00:00
number::
2015-04-08 14:09:03 +00:00
Reference # of argument for other values, display order
2021-06-18 10:20:51 +00:00
call::
2015-04-08 14:09:03 +00:00
Literal argument to call (--call=...)
2021-06-18 10:20:51 +00:00
display::
2015-04-08 14:09:03 +00:00
Displayed name
2021-06-18 10:20:51 +00:00
default::
2015-04-08 14:09:03 +00:00
Default value, in proper form for type
2021-06-18 10:20:51 +00:00
range::
2015-04-08 14:09:03 +00:00
Range of valid values for UI checking (min,max) in proper form
2021-06-18 10:20:51 +00:00
type::
+
--
2015-04-08 14:09:03 +00:00
Argument type for UI filtering for raw, or UI type for selector:
integer
unsigned
long (may include scientific / special notation)
float
selector (display selector table, all values as strings)
2022-10-06 20:43:53 +00:00
editselector (selector table which can be overridden, all values as strings)
2015-04-08 14:09:03 +00:00
boolean (display checkbox)
radio (display group of radio buttons with provided values, all values as strings)
2015-10-26 13:07:49 +00:00
fileselect (display a dialog to select a file from the filesystem, value as string)
multicheck (display a textbox for selecting multiple options, values as strings)
2016-01-18 11:01:14 +00:00
password (display a textbox with masked text)
2016-11-09 12:56:12 +00:00
timestamp (display a calendar)
2021-06-18 10:20:51 +00:00
--
2015-04-08 14:09:03 +00:00
2021-06-18 10:20:51 +00:00
value (options)::
+
--
2015-04-08 14:09:03 +00:00
Values for argument selection
2014-02-25 13:05:11 +00:00
arg Argument # this value applies to
2021-06-18 10:20:51 +00:00
--
2015-04-08 14:09:03 +00:00
2021-06-18 10:20:51 +00:00
== EXAMPLES
2015-04-08 14:09:03 +00:00
2015-10-26 13:07:49 +00:00
Example 1:
2015-04-08 14:09:03 +00:00
2015-12-30 13:46:03 +00:00
arg {number=0}{call=--channel}{display=Wi-Fi Channel}{type=integer}{required=true}
arg {number=1}{call=--chanflags}{display=Channel Flags}{type=radio}
arg {number=2}{call=--interface}{display=Interface}{type=selector}
2015-04-08 14:09:03 +00:00
value {arg=0}{range=1,11}
value {arg=1}{value=ht40p}{display=HT40+}
value {arg=1}{value=ht40m}{display=HT40-}
value {arg=1}{value=ht20}{display=HT20}
value {arg=2}{value=wlan0}{display=wlan0}
Example 2:
2015-12-30 13:46:03 +00:00
arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
2015-04-08 14:09:03 +00:00
value {arg=0}{call=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}
value {arg=0}{call=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}
Example 3:
2015-12-30 13:46:03 +00:00
arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
arg {number=1}{call=--server}{display=IP address for log server}{type=string}{validation=(?:\d{1,3}\.){3}\d{1,3}}
2015-04-08 14:09:03 +00:00
flag {failure=Permission denied opening Ubertooth device}
2016-01-18 11:01:14 +00:00
Example 4:
2022-07-29 21:27:04 +00:00
2016-01-18 11:01:14 +00:00
arg {number=0}{call=--username}{display=Username}{type=string}
arg {number=1}{call=--password}{display=Password}{type=password}
2016-11-09 12:56:12 +00:00
Example 5:
2022-07-29 21:27:04 +00:00
2016-11-09 12:56:12 +00:00
arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
arg {number=1}{call=--end}{display=End Time}{type=timestamp}
2022-07-29 21:27:04 +00:00
== Security Considerations
2015-04-08 14:09:03 +00:00
2022-07-29 21:27:04 +00:00
- If you're running Wireshark as root, we can't save you.
- Dumpcap retains suid/setgid and group execute permissions for users in the “wireshark” group only.
- Third-party capture programs run with whatever privileges they're installed with.
- If an attacker can write to a system binary directory, it's game over.
- You can find your local extcap directory in menu:About[Folders].
2015-04-08 14:09:03 +00:00
2021-06-18 10:20:51 +00:00
== SEE ALSO
2015-04-08 14:09:03 +00:00
2021-06-18 10:20:51 +00:00
xref:wireshark.html[wireshark](1), xref:tshark.html[tshark](1), xref:dumpcap.html[dumpcap](1), xref:androiddump.html[androiddump](1), xref:sshdump.html[sshdump](1), xref:randpktdump.html[randpktdump](1)
2015-04-08 14:09:03 +00:00
2021-06-18 10:20:51 +00:00
== NOTES
2015-04-08 14:09:03 +00:00
2022-07-29 21:27:04 +00:00
*Extcap* is feature of *Wireshark*.
The latest version of *Wireshark* can be found at https://www.wireshark.org.
2015-04-08 14:09:03 +00:00
2021-10-01 02:39:09 +00:00
HTML versions of the Wireshark project man pages are available at
2021-06-18 10:20:51 +00:00
https://www.wireshark.org/docs/man-pages.