Wireshark · Wireshark-dev: Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?

Wireshark-dev: Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugi

From: Timmy Brolin <tib@xxxxxx>

Date: Thu, 11 Feb 2021 16:41:36 +0000

Proposed solution

I have investigated this in more depth and found that Wireshark simply does not do any kind of graceful termination of extcaps. It always kills extcaps forcefully, which causes loss of data on the capture pipe.

Particularly the pcapng “Interface Statistics Block” is always lost, which probably is why none of the built-in extcaps in Wireshark supports the Interface Statistics block at the moment: They can’t.

Win32 offers very few methods for graceful termination of processes. The most recommended standard method to my knowledge is to use the WM_CLOSE message. Which is what I have implemented here:
https://gitlab.com/wireshark/wireshark/-/merge_requests/2063

Regards,
Timmy Brolin

From: Wireshark-dev <wireshark-dev-bounces@xxxxxxxxxxxxx> On Behalf Of Timmy Brolin
Sent: den 24 november 2020 11:07
To: Developer support list for Wireshark <wireshark-dev@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?

> Windows Console applications have a handler to respond to console events, the default handler simply exits the process. Sending the console events is a little tricky, but there are workarounds, see here: https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows.

I am working on a extcap, I only need to know what kind of event to listen to from Wireshark.

> Without having done any of this, I imagine the extcap "controller" would send a console event to indicate the extcap should close the capture, e.g. the Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to catch the event, do whatever it wishes before exiting. Making the extcap "controller" keep the pipe open for the appropriate amount of time might also require work.

Reading through capchild/capture_sync.c I came across this function:

/* tell the child through the signal pipe that we want to quit the capture */

static void

signal_pipe_capquit_to_child(capture_session *cap_session)

{

const char quit_msg[] = "QUIT";

int ret;

g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child");

/* it doesn't matter *what* we send here, the first byte will stop the capture */

/* simply sending a "QUIT" string */

/*pipe_write_block(cap_session->signal_pipe_write_fd, SP_QUIT, quit_msg);*/

ret = ws_write(cap_session->signal_pipe_write_fd, quit_msg, sizeof quit_msg);

if(ret == -1) {

g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,

"signal_pipe_capquit_to_child: %d header: error %s", cap_session->signal_pipe_write_fd, g_strerror(errno));

}

It seems wireshark is supposed to send a “QUIT” string to extcap to gracefully stop a capture, 500ms before killing extcap?

I have tried having the extcap listening to “kbhit()” for stdin input, but I get nothing.

Is this “QUIT” message from Wireshark not piped to extcap stdin?

Or am I reading the code completely wrong?

On Tue, 24 Nov 2020 at 08:44, Timmy Brolin <tib@xxxxxx> wrote:

> > There seems to exist several alternative ways of doing it in Windows.
> >
> > Such as sending WM_QUIT or WM_CLOSE on the message queue,
>
> This assumes that the program you're trying to tell to terminate *has* a message queue to which it pays attention.
>
> Extcap programs are character-mode (console) programs, not windows programs; unless there's some hidden thread that's listening to a Windows message queue in those programs, they won't see that message.

Well, since I am writing the extcap, I can certainly add a Windows message queue, if that is what it takes to make it work properly with Wireshark.
I have made some tests with this, but so far I have not seen a WM_CLOSE or WM_QUIT message on the queue.

> > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler().
>
> According to a comment in sig_pipe_kill() in capchild/capture_sync.c:
>
> so that might not work either.

So is there no way for an extcap to gracefully end a capture?
And thereby no way to for an extcap to send a Interface Statistics Block to Wireshark?

I would like for the extcap to be able to report number of dropped packets to wireshark.
According to the pcapng specification, this can be done either via the "epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" or " isb_osdrop" options in the Interface Statistics block.
Out of these three options, Wireshark only seems to support the "isb_ifdrop" option, so the Interface Statistics Block is the only way to report dropped packets.

Graham Bloice

Prev by Date: Re: [Wireshark-dev] Fwd: [Season of Docs - Announcements] The 2021 Season of Docs application for organizations is open!
Next by Date: Re: [Wireshark-dev] pcapng decoding error when preamble is shortened
Previous by thread: [Wireshark-dev] Remote Developer Den, February 2021
Next by thread: [Wireshark-dev] Help finding the link layer dissector call (netmon_802_11)
Index(es):
- Date
- Thread