While correct as an answer, the main Limitation here is dumpcap. You would have to implement a mechanism to let dumpcap know which format to use for the internal pipe to the extcap interrace. DLT could be that. Pcapng has been on the wishlist for a very long time as a format
Kind regards
Roland
> Am 21.03.2021 um 15:53 schrieb Tomasz Moń <desowin@xxxxxxxxx>:
>
> On Sun, Mar 21, 2021 at 1:21 PM Martin Mathieson via Wireshark-dev
> <wireshark-dev@xxxxxxxxxxxxx> wrote:
>> Can an extcap program write to a wiretap-supported file format other than pcap or pcapng? A quick test (hack to file preamble and frames in extcap_example.py) suggests not..
>> Has it to do with synchronising whole frames being read at the wireshark end of the pipe?
>
> Currently extcap is inherently bound to pcap. Currently extcaps
> mention their DLT that determines link layer header type (as defined
> at [1]) when they are being called with --extcap-dlts argument. When
> you capture from extcap source, it is dumpcap that reads the pcap
> stream that is written to the pipe by extcap.
>
> To make extcap support different file types would would need to:
> * extend extcap interface with a method to let Wireshark know that
> the extcap in question does not output pcap data
> * make dumpcap capable of at least passing the data from the pipe to Wireshark
>
> [1] https://www.tcpdump.org/linktypes.html
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: https://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe