4 extcap - The extcap interface
8 The extcap interface is a versatile plugin interface that allows external binaries
9 to act as capture interfaces directly in wireshark. It is used in scenarios, where
10 the source of the capture is not a traditional capture model
11 (live capture from an interface, from a pipe, from a file, etc). The typical
12 example is connecting esoteric hardware of some kind to the main wireshark app.
14 Without extcap, a capture can always be achieved by directly writing to a capture file:
16 the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
17 wireshark dumpfile.pcap
19 but the extcap interface allows for such a connection to be easily established and
20 configured using the wireshark GUI.
22 The extcap subsystem is made of multiple extcap binaries that are automatically
23 called by the GUI in a row. In the following chapters we will refer to them as
26 Extcaps may be any binary or script within the extcap directory. Please note, that scripts
27 need to be executable without prefacing a script interpreter before the call. To go deeper
28 into the extcap utility development, please refer to README.extcap.
30 WINDOWS USER: Because of restrictions directly calling the script may not always work.
31 In such a case, a batch file may be provided, which then in turn executes the script. Please
32 refer to doc/extcap_example.py for more information.
34 =head1 GRAMMAR ELEMENTS
42 argument for CLI calling
46 Reference # of argument for other values, display order
50 Literal argument to call (--call=...)
58 Default value, in proper form for type
62 Range of valid values for UI checking (min,max) in proper form
66 Argument type for UI filtering for raw, or UI type for selector:
70 long (may include scientific / special notation)
72 selector (display selector table, all values as strings)
73 boolean (display checkbox)
74 radio (display group of radio buttons with provided values, all values as strings)
75 fileselect (display a dialog to select a file from the filesystem, value as string)
76 multicheck (display a textbox for selecting multiple options, values as strings)
77 password (display a textbox with masked text)
78 timestamp (display a calendar)
82 Values for argument selection
83 arg Argument # this value applies to
91 arg {number=0}{call=--channel}{display=Wi-Fi Channel}{type=integer}{required=true}
92 arg {number=1}{call=--chanflags}{display=Channel Flags}{type=radio}
93 arg {number=2}{call=--interface}{display=Interface}{type=selector}
94 value {arg=0}{range=1,11}
95 value {arg=1}{value=ht40p}{display=HT40+}
96 value {arg=1}{value=ht40m}{display=HT40-}
97 value {arg=1}{value=ht20}{display=HT20}
98 value {arg=2}{value=wlan0}{display=wlan0}
102 arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
103 value {arg=0}{call=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}
104 value {arg=0}{call=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}
108 arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
109 arg {number=1}{call=--server}{display=IP address for log server}{type=string}{validation=(?:\d{1,3}\.){3}\d{1,3}}
110 flag {failure=Permission denied opening Ubertooth device}
113 arg {number=0}{call=--username}{display=Username}{type=string}
114 arg {number=1}{call=--password}{display=Password}{type=password}
117 arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
118 arg {number=1}{call=--end}{display=End Time}{type=timestamp}
120 =head1 Security awareness
124 =item - Users running wireshark as root, we can't save you
126 =item - Dumpcap retains suid/setgid and group+x permissions to allow users in wireshark group only
128 =item - Third-party capture programs run w/ whatever privs they're installed with
130 =item - If an attacker can write to a system binary directory, we're game over anyhow
132 =item - Reference the folders tab in the wireshark->about information, to see from which directory extcap is being run
138 wireshark(1), tshark(1), dumpcap(1), androiddump(1), sshdump(1), randpktdump(1)
142 B<Extcap> is feature of B<Wireshark>. The latest version
143 of B<Wireshark> can be found at L<https://www.wireshark.org>.
145 HTML versions of the Wireshark project man pages are available at:
146 L<https://www.wireshark.org/docs/man-pages>.