Wireshark-dev: Re: [Wireshark-dev] PcapNG format support for dumpcap

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 16 Jul 2015 12:20:54 -0700
On Jul 16, 2015, at 12:49 AM, Roland Knall <rknall@xxxxxxxxx> wrote:

> I've filed a bug report (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11370) for support in dumpcap and wireshark, to enable pcapng as a data format for capturing.

By which you presumably mean "enable pcap-ng as a data format that dumpcap supports when capturing from a pipe", as dumpcap has been able to *write* pcap-ng dump files for several releases - and has even *defaulted* to pcap-ng for the past few releases.

> We would need this for an extcap interface, where we would use the packet comments to add additional information to each packet, as otherwise we wold have to write text files during capture, and these files are not forwarded correctly if a customer sends in a trace. Also we have to handle to data formats for the utility as of right now, which seems a little bit bloated.
> 
> My question therefore is, is anyone working on that,

Not that I know of.

> or are there reasons why not?

It's a non-trivial project, and you're the first one who needed it enough to start looking at it?

> If noone is working on this, could one of the main developers offer a guess on where to change the interfaces for this?

You'd need to:

	change cap_pipe_open_live() to recognize both pcap and pcap-ng files;

	either change cap_pipe_dispatch() to do different operations for pcap and pcap-ng files, or have two pipe dispatch routines, one for pcap files and one for pcap-ng files;

	add new callback routines that, when given a pcap-ng packet, queues it or writes it, and use them when capturing from a pipe/socket that delivers pcap-ng files.

> My guess so far after poking around in the code a little bit would be, that in dumpcap itself the change would not be that big, as it seems to pass through whatever it reads, after initially checking on the file format. The bigger changes have to be done on the other side of the capture pipe in the XXshark utilities.

Umm, why would any changes be needed *at all* to them?

Wireshark and TShark have been able to read pcap-ng files for several releases now, and, for the past few releases, it's let dumpcap write its default pcap-ng format and reads it quite happily.  They wouldn't even *know* that dumpcap was capturing from a pipe, much less that pcap-ng rather than pcap packets were being delivered on the pipe.