Wireshark mailing list archives
Re: How to properly finalize capture in a Wireshark extcap plugin?
From: Graham Bloice <graham.bloice () trihedral com>
Date: Tue, 24 Nov 2020 09:08:32 +0000
Windows Console applications have a handler to respond to console events, the default handler simply exits the process. Sending the console events is a little tricky, but there are workarounds, see here: https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows . Without having done any of this, I imagine the extcap "controller" would send a console event to indicate the extcap should close the capture, e.g. the Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to catch the event, do whatever it wishes before exiting. Making the extcap "controller" keep the pipe open for the appropriate amount of time might also require work. On Tue, 24 Nov 2020 at 08:44, Timmy Brolin <tib () hms se> wrote:
There seems to exist several alternative ways of doing it in Windows. Such as sending WM_QUIT or WM_CLOSE on the message queue,This assumes that the program you're trying to tell to terminate *has* amessage queue to which it pays attention.Extcap programs are character-mode (console) programs, not windowsprograms; unless there's some hidden thread that's listening to a Windows message queue in those programs, they won't see that message. Well, since I am writing the extcap, I can certainly add a Windows message queue, if that is what it takes to make it work properly with Wireshark. I have made some tests with this, but so far I have not seen a WM_CLOSE or WM_QUIT message on the queue.or CTRL_BREAK_EVENT via SetConsoleCtrlHandler().According to a comment in sig_pipe_kill() in capchild/capture_sync.c: so that might not work either.So is there no way for an extcap to gracefully end a capture? And thereby no way to for an extcap to send a Interface Statistics Block to Wireshark? I would like for the extcap to be able to report number of dropped packets to wireshark. According to the pcapng specification, this can be done either via the "epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" or " isb_osdrop" options in the Interface Statistics block. Out of these three options, Wireshark only seems to support the "isb_ifdrop" option, so the Interface Statistics Block is the only way to report dropped packets.
-- Graham Bloice
___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- How to properly finalize capture in a Wireshark extcap plugin? Timmy Brolin (Nov 23)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Dario Lombardo (Nov 23)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Timmy Brolin (Nov 23)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Guy Harris (Nov 23)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Timmy Brolin (Nov 24)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Graham Bloice (Nov 24)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Timmy Brolin (Nov 24)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Timmy Brolin (Nov 23)
- Re: How to properly finalize capture in a Wireshark extcap plugin? Dario Lombardo (Nov 23)