From: Guy Harris on Thursday, 31 August 2017 1:24 PM
> On Aug 30, 2017, at 4:58 PM, Stephen Donnelly <Stephen.Donnelly@xxxxxxxxxx> wrote:
>> At the very least extcap tools should be able to supply data in any format understood by wiretap, but since the extcap data currently goes via dumpcap (maybe not sensible either?)
>
> Perhaps not, indeed.
>
> Currently, there's a protocol between dumpcap and {Wireshark,TShark} allowing dumpcap to tell *shark "I've appended N more packets to the capture file", to allow dumpcap to report errors and "here's another capture file" (if it's doing multiple files), etc..
>
> If extcap programs were to speak that protocol when capturing, you could have the extcap programs behave similarly to dumpcap, writing packets directly to a file, and have *shark run the extcap program rather than running dumpcap. I.e., make extcap programs act as substitutes for dumpcap.
Agreed. In fact if extcap programs can talk directly to *shark, then dumpcap becomes just another extcap program and not especially privileged.
Stephen