Go to main content

man pages section 4: Device and Network Interfaces

Exit Print View

Updated: Thursday, June 13, 2019

extcap (4)


extcap - The extcap interface


Please see following description for synopsis


The Wireshark Network Analyzer                                       EXTCAP(4)

       extcap - The extcap interface

       The extcap interface is a versatile plugin interface that allows
       external binaries to act as capture interfaces directly in wireshark.
       It is used in scenarios, where the source of the capture is not a
       traditional capture model (live capture from an interface, from a pipe,
       from a file, etc). The typical example is connecting esoteric hardware
       of some kind to the main wireshark app.

       Without extcap, a capture can always be achieved by directly writing to
       a capture file:

           the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
           wireshark dumpfile.pcap

       but the extcap interface allows for such a connection to be easily
       established and configured using the wireshark GUI.

       The extcap subsystem is made of multiple extcap binaries that are
       automatically called by the GUI in a row. In the following chapters we
       will refer to them as "the extcaps".

       Extcaps may be any binary or script within the extcap directory. Please
       note, that scripts need to be executable without prefacing a script
       interpreter before the call. To go deeper into the extcap utility
       development, please refer to README.extcap.

       WINDOWS USER: Because of restrictions directly calling the script may
       not always work.  In such a case, a batch file may be provided, which
       then in turn executes the script. Please refer to doc/extcap_example.py
       for more information.

       Grammar elements:

       arg (options)
           argument for CLI calling

           Reference # of argument for other values, display order

           Literal argument to call (--call=...)

           Displayed name

           Default value, in proper form for type

           Range of valid values for UI checking (min,max) in proper form

           Argument type for UI filtering for raw, or UI type for selector:

               long (may include scientific / special notation)
               selector (display selector table, all values as strings)
               boolean (display checkbox)
               radio (display group of radio buttons with provided values, all values as strings)
               fileselect (display a dialog to select a file from the filesystem, value as string)
               multicheck (display a textbox for selecting multiple options, values as strings)
               password (display a textbox with masked text)
               timestamp (display a calendar)

       value (options)
               Values for argument selection
               arg     Argument # this value applies to

       Example 1:

           arg {number=0}{call=--channel}{display=Wi-Fi Channel}{type=integer}{required=true}
           arg {number=1}{call=--chanflags}{display=Channel Flags}{type=radio}
           arg {number=2}{call=--interface}{display=Interface}{type=selector}
           value {arg=0}{range=1,11}
           value {arg=1}{value=ht40p}{display=HT40+}
           value {arg=1}{value=ht40m}{display=HT40-}
           value {arg=1}{value=ht20}{display=HT20}
           value {arg=2}{value=wlan0}{display=wlan0}

       Example 2:

           arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
           value {arg=0}{call=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}
           value {arg=0}{call=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}

       Example 3:

           arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
           arg {number=1}{call=--server}{display=IP address for log server}{type=string}{validation=(?:\d{1,3}\.){3}\d{1,3}}
           flag {failure=Permission denied opening Ubertooth device}

       Example 4:
           arg {number=0}{call=--username}{display=Username}{type=string}
           arg {number=1}{call=--password}{display=Password}{type=password}

       Example 5:
           arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
           arg {number=1}{call=--end}{display=End Time}{type=timestamp}

Security awareness
       - Users running wireshark as root, we can't save you
       - Dumpcap retains suid/setgid and group+x permissions to allow users in
       wireshark group only
       - Third-party capture programs run w/ whatever privs they're installed
       - If an attacker can write to a system binary directory, we're game
       over anyhow
       - Reference the folders tab in the wireshark->about information, to see
       from which directory extcap is being run

       See attributes(7) for descriptions of the following attributes:

       |ATTRIBUTE TYPE |           ATTRIBUTE VALUE             |
       |Availability   | diagnostic/wireshark/wireshark-common |
       |Stability      | Uncommitted                           |
       wireshark(1), tshark(1), dumpcap(1), androiddump(1), sshdump(1),

       Extcap is feature of Wireshark.  The latest version of Wireshark can be
       found at <https://www.wireshark.org>.

       HTML versions of the Wireshark project man pages are available at:

       This software was built from source available at
       https://github.com/oracle/solaris-userland.  The original community
       source was downloaded from  http://www.wireshark.org/download/src/all-

       Further information about this software can be found on the open source
       community website at http://www.wireshark.org/.

2.6.9                             2019-05-22                         EXTCAP(4)