Re: Adding pcap-ng pipe support to dumpcap

[Stephen Donnelly <Stephen.Donnelly () endace com>]

From: Guy Harris on Thursday, 31 August 2017 1:24 PM
> On Aug 30, 2017, at 4:58 PM, Stephen Donnelly <Stephen.Donnelly () endace com> wrote:

> > At the very least extcap tools should be able to supply data in any format understood by wiretap, but since the 
> > extcap data currently goes via dumpcap (maybe not sensible either?)
>
> Perhaps not, indeed.
>
> Currently, there's a protocol between dumpcap and {Wireshark,TShark} allowing dumpcap to tell *shark "I've appended N 
> more packets to the capture file", to allow dumpcap to report errors and "here's another capture file" (if it's doing 
> multiple files), etc..
>
> If extcap programs were to speak that protocol when capturing, you could have the extcap programs behave similarly to 
> dumpcap, writing packets directly to a file, and have *shark run the extcap program rather than running dumpcap.  
> I.e., make extcap programs act as substitutes for dumpcap.

Agreed. In fact if extcap programs can talk directly to *shark, then dumpcap becomes just another extcap program and 
not especially privileged.

Stephen

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe