EXTCAP

Extcap helps create cli application for Wireshark capture using extcap interface.

EXTCAP principles

This is simple explanation of ExtCap principles. EXTCAP application is oridinary executable file. Wireshark runs this application and control behaviour by specifying flags. These types of flags are commands, other flags specify parameter of commands.

Commands

There are five commands.

1.Get list of interfaces

--extcap-interfaces - request to provide list of available interface. This list will be displied in Wireshark

Example

$ go_sshdump.exe --extcap-interfaces
interface {value=go_sshdump}{display=SSH remote capture (Golang version)}

2.Get config options of interface

--extcap-config - request to provide of available configuration options of interface.

Required parameters:
--extcap-interface <string> - specifies name of interface for which should provide configuration options. In terms of EXTCAP configuration options are called "arguments"

Example:

sshdump.exe --extcap-config --extcap-interface sshdump

Last sshdump is name of interface. It can be any name. This name was get from result of command --extcap-interfaces.

3.Get value of DLT

--extcap-dlts - request to provide list of supported DLT by interface.

Required parameters:
--extcap-interface <string> - specifies name of interface for which should provide DLTs.

Example:

$ sshdump.exe --extcap-dlts --extcap-interface sshdump
dlt {number=147}{name=sshdump}{display=Remote capture dependent DLT}

4.Start capture

--capture - start capture

Required parameters:
--extcap-interface <interface_name> - name of interface --fifo <fifo_name> - name of fifo

Optional parameters: --extcap-capture-filter <filter_expression> - capture filter expression

Optional parameters: optional parameters depend on application (or itnerface) and specified by --extcap-config.

Example of sshdump

sshdump.exe --capture --extcap-interface sshdump.exe --fifo \\.\pipe\wireshark_extcap_sshdump.exe_temp --remote-host 10.3.142.3 --remote-port 22 --remote-username root --remote-interface any --remote-capture-command-select tcpdump --remote-priv none --remote-filter "not port 22 and not host 127.0.0.1" --remote-count 0 --log-level message

5.Print tool version

--extcap-version - print tool version

There are no any optional/required parameters

Example

$ go_sshdump.exe --extcap-version
extcap {version=0.0.1}{help=https://github.com/kor44/extcap}

Examples

Very basic example

func main() {
	if err := extcap.Run("Minimal Golang EXTCAP", capture); err != nil {
		fmt.Fprintln(os.Stderr, err)
		os.Exit(2)
	}
}

// capture function
func capture(w io.WriteCloser, filter string) error {
	header := []any{
		uint32(0xA1B2C3D4), // magic
		uint16(2),          // verMajor
		uint16(4),          // verMinor
		uint32(0),          // reserved1
		uint32(0),          // reserved2
		uint32(1024),       // snapLen
		uint16(0),          // FCS
		uint16(0),          // linkType
	}

	for _, v := range header {
		err := binary.Write(w, binary.LittleEndian, v)
		if err != nil {
			return extcap.NewError("write header", err)
		}
	}

	for i := 0; i < 10; i++ {
		if err := writePacket(w); err != nil {
			return err
		}
		time.Sleep(3 * time.Second)
	}

	return w.Close()
}

// write data in PCAP format
func writePacket(w io.WriteCloser) error {
	data := []any{
		uint32(time.Now().Unix()), // seconds
		uint32(0),                 // Microseconds
		uint32(10),                // Captured Packet Length
		uint32(10),                // Original Packet Length
		[10]byte{},                // data

	}
	for _, v := range data {
		err := binary.Write(w, binary.LittleEndian, v)
		if err != nil {
			return extcap.NewError("write packet", err)
		}
	}
	return nil
}