1EXTCAP(4) The Wireshark Network Analyzer EXTCAP(4)
2
3
4
6 extcap - The extcap interface
7
9 The extcap interface is a versatile plugin interface that allows
10 external binaries to act as capture interfaces directly in wireshark.
11 It is used in scenarios, where the source of the capture is not a
12 traditional capture model (live capture from an interface, from a pipe,
13 from a file, etc). The typical example is connecting esoteric hardware
14 of some kind to the main wireshark app.
15
16 Without extcap, a capture can always be achieved by directly writing to
17 a capture file:
18
19 the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
20 wireshark dumpfile.pcap
21
22 but the extcap interface allows for such a connection to be easily
23 established and configured using the wireshark GUI.
24
25 The extcap subsystem is made of multiple extcap binaries that are
26 automatically called by the GUI in a row. In the following chapters we
27 will refer to them as "the extcaps".
28
29 Extcaps may be any binary or script within the extcap directory. Please
30 note, that scripts need to be executable without prefacing a script
31 interpreter before the call. To go deeper into the extcap utility
32 development, please refer to README.extcap.
33
34 WINDOWS USER: Because of restrictions directly calling the script may
35 not always work. In such a case, a batch file may be provided, which
36 then in turn executes the script. Please refer to doc/extcap_example.py
37 for more information.
38
40 Grammar elements:
41
42 arg (options)
43 argument for CLI calling
44
45 number
46 Reference # of argument for other values, display order
47
48 call
49 Literal argument to call (--call=...)
50
51 display
52 Displayed name
53
54 default
55 Default value, in proper form for type
56
57 range
58 Range of valid values for UI checking (min,max) in proper form
59
60 type
61 Argument type for UI filtering for raw, or UI type for selector:
62
63 integer
64 unsigned
65 long (may include scientific / special notation)
66 float
67 selector (display selector table, all values as strings)
68 boolean (display checkbox)
69 radio (display group of radio buttons with provided values, all values as strings)
70 fileselect (display a dialog to select a file from the filesystem, value as string)
71 multicheck (display a textbox for selecting multiple options, values as strings)
72 password (display a textbox with masked text)
73 timestamp (display a calendar)
74
75 value (options)
76 Values for argument selection
77 arg Argument # this value applies to
78
80 Example 1:
81
82 arg {number=0}{call=--channel}{display=Wi-Fi Channel}{type=integer}{required=true}
83 arg {number=1}{call=--chanflags}{display=Channel Flags}{type=radio}
84 arg {number=2}{call=--interface}{display=Interface}{type=selector}
85 value {arg=0}{range=1,11}
86 value {arg=1}{value=ht40p}{display=HT40+}
87 value {arg=1}{value=ht40m}{display=HT40-}
88 value {arg=1}{value=ht20}{display=HT20}
89 value {arg=2}{value=wlan0}{display=wlan0}
90
91 Example 2:
92
93 arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
94 value {arg=0}{call=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}
95 value {arg=0}{call=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}
96
97 Example 3:
98
99 arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
100 arg {number=1}{call=--server}{display=IP address for log server}{type=string}{validation=(?:\d{1,3}\.){3}\d{1,3}}
101 flag {failure=Permission denied opening Ubertooth device}
102
103 Example 4:
104 arg {number=0}{call=--username}{display=Username}{type=string}
105 arg {number=1}{call=--password}{display=Password}{type=password}
106
107 Example 5:
108 arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
109 arg {number=1}{call=--end}{display=End Time}{type=timestamp}
110
112 - Users running wireshark as root, we can't save you
113 - Dumpcap retains suid/setgid and group+x permissions to allow users in
114 wireshark group only
115 - Third-party capture programs run w/ whatever privs they're installed
116 with
117 - If an attacker can write to a system binary directory, we're game
118 over anyhow
119 - Reference the folders tab in the wireshark->about information, to see
120 from which directory extcap is being run
121
123 wireshark(1), tshark(1), dumpcap(1), androiddump(1), sshdump(1),
124 randpktdump(1)
125
127 Extcap is feature of Wireshark. The latest version of Wireshark can be
128 found at <https://www.wireshark.org>.
129
130 HTML versions of the Wireshark project man pages are available at:
131 <https://www.wireshark.org/docs/man-pages>.
132
133
134
1352.6.2 2018-07-18 EXTCAP(4)