Re: How to properly finalize capture in a Wireshark extcap plugin?

[Timmy Brolin <tib () hms se>]

Proposed solution

I have investigated this in more depth and found that Wireshark simply does not do any kind of graceful termination of 
extcaps. It always kills extcaps forcefully, which causes loss of data on the capture pipe.
Particularly the pcapng “Interface Statistics Block” is always lost, which probably is why none of the built-in extcaps 
in Wireshark supports the Interface Statistics block at the moment: They can’t.

Win32 offers very few methods for graceful termination of processes. The most recommended standard method to my 
knowledge is to use the WM_CLOSE message. Which is what I have implemented here:
https://gitlab.com/wireshark/wireshark/-/merge_requests/2063

Regards,
Timmy Brolin



From: Wireshark-dev <wireshark-dev-bounces () wireshark org> On Behalf Of Timmy Brolin
Sent: den 24 november 2020 11:07
To: Developer support list for Wireshark <wireshark-dev () wireshark org>
Subject: Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?

> Windows Console applications have a handler to respond to console events, the default handler simply exits the 
> process.  Sending the console events is a little tricky, but there are workarounds, see here: 
> https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows.

I am working on a extcap, I only need to know what kind of event to listen to from Wireshark.
> Without having done any of this, I imagine the extcap "controller" would send a console event to indicate the extcap 
> should close the capture, e.g. the Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to catch 
> the event, do whatever it wishes before exiting.  Making the extcap "controller" keep the pipe open for the 
> appropriate amount of time might also require work.


Reading through capchild/capture_sync.c I came across this function:

/* tell the child through the signal pipe that we want to quit the capture */
static void
signal_pipe_capquit_to_child(capture_session *cap_session)
{
    const char quit_msg[] = "QUIT";
    int ret;

    g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child");

    /* it doesn't matter *what* we send here, the first byte will stop the capture */
    /* simply sending a "QUIT" string */
    /*pipe_write_block(cap_session->signal_pipe_write_fd, SP_QUIT, quit_msg);*/
    ret = ws_write(cap_session->signal_pipe_write_fd, quit_msg, sizeof quit_msg);
    if(ret == -1) {
        g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
              "signal_pipe_capquit_to_child: %d header: error %s", cap_session->signal_pipe_write_fd, 
g_strerror(errno));
    }
}

It seems wireshark is supposed to send a “QUIT” string to extcap to gracefully stop a capture, 500ms before killing 
extcap?

I have tried having the extcap listening to “kbhit()” for stdin input, but I get nothing.
Is this “QUIT” message from Wireshark not piped to extcap stdin?

Or am I reading the code completely wrong?


On Tue, 24 Nov 2020 at 08:44, Timmy Brolin <tib () hms se<mailto:tib () hms se>> wrote:
> > There seems to exist several alternative ways of doing it in Windows.
> >
> > Such as sending WM_QUIT or WM_CLOSE on the message queue,
>
> This assumes that the program you're trying to tell to terminate *has* a message queue to which it pays attention.
>
> Extcap programs are character-mode (console) programs, not windows programs; unless there's some hidden thread that's 
> listening to a Windows message queue in those programs, they won't see that message.

Well, since I am writing the extcap, I can certainly add a Windows message queue, if that is what it takes to make it 
work properly with Wireshark.
I have made some tests with this, but so far I have not seen a WM_CLOSE or WM_QUIT message on the queue.

> > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler().
>
> According to a comment in sig_pipe_kill() in capchild/capture_sync.c:
>
> so that might not work either.

So is there no way for an extcap to gracefully end a capture?
And thereby no way to for an extcap to send a Interface Statistics Block to Wireshark?


I would like for the extcap to be able to report number of dropped packets to wireshark.
According to the pcapng specification, this can be done either via the "epb_dropcount" option in the Enhanced Packet 
Block or via the "isb_ifdrop" or " isb_osdrop" options in the Interface Statistics block.
Out of these three options, Wireshark only seems to support the "isb_ifdrop" option, so the Interface Statistics Block 
is the only way to report dropped packets.

--
Graham Bloice

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe