Wireshark-dev: Re: [Wireshark-dev] How to stop extcap gracefully

From: Roland Knall <rknall@xxxxxxxxx>
Date: Sat, 27 Nov 2021 23:22:02 +0100
In the case of ciscodump, there is no closing on the extcap side. Basically it reads packets indefinitely in ssh_loop_read, until you either have a read error on the channel, or you got the end packet.

You would need to add another exit condition to the do..while loop there.

extcap programs work a little differently than capture interfaces, as such it was meant as a management system for piped input, where you have either a finite number of packets to send to wireshark or you have total control over what to send. When you have sent all the information you wanted to send, you simply exit the program. If Wireshark closes the pipe before, we "should" cleanly exit due to the fact that dumpcap closes the control stream and terminates the program execution, as we are running in a child-thread. We have seen in the past, that this might not always happen 100%

kind regards
Roland

Am Sa., 27. Nov. 2021 um 22:51 Uhr schrieb Jirka Novak <j.novak@xxxxxxxxxxxx>:
Hi Roland,

> Due to the nature of extcaps, they are not explicitly closed. Instead,
> you should monitor the created pipes. Dumpcap closes those pipes when
> the capture has finished. We do send them a kill signal, but due to the
> nature of the signal handling, this signal may be missed.
>
> The sure fire way is, if the pipe gets closed, end the extcap from the
> extcap side.

can you point me to place where pipes are controlled on extcap side? I
see common framework there, but I'm not sure where the place is exactly...

Thank you in advance,

                                                        Jirka