Wireshark-dev: Re: [Wireshark-dev] Adding pcap-ng pipe support to dumpcap

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 30 Aug 2017 18:24:13 -0700
On Aug 30, 2017, at 4:58 PM, Stephen Donnelly <Stephen.Donnelly@xxxxxxxxxx> wrote:

> At the very least extcap tools should be able to supply data in any format understood by wiretap, but since the extcap data currently goes via dumpcap (maybe not sensible either?)

Perhaps not, indeed.

Currently, there's a protocol between dumpcap and {Wireshark,TShark} allowing dumpcap to tell *shark "I've appended N more packets to the capture file", to allow dumpcap to report errors and "here's another capture file" (if it's doing multiple files), etc..

If extcap programs were to speak that protocol when capturing, you could have the extcap programs behave similarly to dumpcap, writing packets directly to a file, and have *shark run the extcap program rather than running dumpcap.  I.e., make extcap programs act as substitutes for dumpcap.