Wireshark-dev: Re: [Wireshark-dev] extcap tools

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 26 Mar 2019 13:57:47 -0700
On Mar 23, 2019, at 1:21 PM, Ross Jacobs <rossbjacobs@xxxxxxxxx> wrote:

> I am confused by differences in extcap between the CLI and the GUI. By default (in 3.0.0 on both Windows, Macos), extcap tools are presented as interfaces on the capture page. 
> <Screen Shot 2019-03-23 at 8.11.37 PM.png>

And in TShark, they're presented in the list of devices printed by the -D flag, because it can capture on them.

> Questions 
> 1. In the Wireshark GUI, if you go to About > Plugins, you can see the extcap directories.

By which you presumably mean "you can see the full path of all extcap *executables*.

If you want to see the extcap *directory*, you want About > Folders.

> Is it possible to get the extcap directory using a CLI command like tshark,

tshark -G folders, which is the equivalent of About > Folders.

There is no way to list the full paths of extcap executables from the command line; tshark -G plugins, which looks as if it's *intended* to be the equivalent of About > Folders, lists only run-time-loadable-object and Lua plugins, not extcap plugins.

> 2. Why does dumpcap -D not show the same interfaces that the GUI does?

Either because 1) there's a bug or 2) it can't capture on extcap devices, so it shouldn't report them.  From a quick test, it appears that 2) is the case here.