summaryrefslogtreecommitdiffstats
path: root/doc/wsdg_src/wsdg_capture.adoc
diff options
context:
space:
mode:
Diffstat (limited to 'doc/wsdg_src/wsdg_capture.adoc')
-rw-r--r--doc/wsdg_src/wsdg_capture.adoc505
1 files changed, 505 insertions, 0 deletions
diff --git a/doc/wsdg_src/wsdg_capture.adoc b/doc/wsdg_src/wsdg_capture.adoc
new file mode 100644
index 00000000..868f2a0f
--- /dev/null
+++ b/doc/wsdg_src/wsdg_capture.adoc
@@ -0,0 +1,505 @@
+// WSDG Chapter Capture
+
+[#ChapterCapture]
+
+== Packet Capture
+
+****
+This chapter needs to be reviewed and extended.
+****
+
+[#ChCaptureAddLibpcap]
+
+=== Adding A New Capture Type To Libpcap
+
+For this discussion, let's assume you're working with libpcap 1.0 or
+later. You probably don't want to work with a version older than 1.0,
+even if whatever OS you're using happens to include libpcap - older
+versions are not as friendly towards adding support for devices other
+than standard network interfaces.
+
+First, read
+link:https://www.tcpdump.org/libpcap-module-HOWTO.html[the
+libpcap documentation on writing a new libpcap module]
+
+(It's currently incomplete, but I'll be finishing it up over time. If
+you have contributions, feel free to submit pull requests for it.)
+
+If you had to introduce one or more new `{dlt-glob}` values, you will
+also have to add support in Wireshark for those `{dlt-glob}` values to
+_wiretap/pcap-common.c_, which might mean adding one or more
+_WTAP_ENCAP_ types to _wtap.h_ and to the `encap_table[]` table in
+_wiretap/wtap.c_. You'd then have to write a dissector or dissectors for
+the link-layer protocols or protocols and have them register themselves
+with the `wtap_encap` dissector table, with the appropriate _WTAP_ENCAP_
+values by calling `dissector_add_uint()`.
+
+[#ChCaptureExtcap]
+
+=== Adding Capture Interfaces And Log Sources Using Extcap
+
+The extcap interface is a versatile plugin interface that allows external binaries
+to act as capture interfaces directly in Wireshark. It is used in scenarios, where
+the source of the capture is not a traditional capture model (live capture from an
+interface, from a pipe, from a file, etc). The typical example is connecting esoteric
+hardware of some kind to the main Wireshark app.
+
+Without extcap, a capture can always be achieved by directly writing to a capture file:
+
+.Bash example for traditional capture with a capture file.
+[source,bash]
+----
+$ the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
+$ wireshark dumpfile.pcap
+----
+
+but the extcap interface allows for such a connection to be easily established and
+configured using the Wireshark GUI.
+
+The extcap subsystem is made of multiple extcap binaries that are automatically
+called by the GUI in a row. In the following chapters we will refer to them as
+“the extcaps”.
+
+Extcaps may be any binary or script within the extcap directory. Please note, that
+scripts need to be executable without prefacing a script interpreter before the call.
+
+IMPORTANT: *Windows Users* Because of restrictions directly calling the script may not always work.
+In such a case, a batch file may be provided, which then in turn executes the script.
+Please refer to <<ChCaptureExtcapWindowsShell>> for more information.
+
+When Wireshark launches an extcap, it automatically adds its installation path
+(normally _C:\Program Files\Wireshark\_) to the DLL search path so that the extcap library dependencies
+can be found (it is not designed to be launched by hand). This is done on purpose. There should
+only be extcap programs (executables, Python scripts, etc.) in the extcap folder to reduce the startup
+time and not have Wireshark trying to execute other file types.
+
+[#ChCaptureExtcapProcess]
+
+==== Extcap Command Line Interface
+
+The actual capture is run after a setup process that can be done manually by the
+user or automatically by the GUI. All the steps performed are done for every extcap.
+
+Let's go through those steps.
+
+===== Query For Available Interfaces
+
+In the first step the extcap is queried for its interfaces.
+
+[source,bash]
+----
+$ extcapbin --extcap-interfaces
+----
+
+This call must print the existing interfaces for this extcap and must return 0.
+The output must conform to the grammar specified for extcap, and it is specified
+in the doc/extcap.4 generated man page (in the build dir).
+
+Wireshark 2.9 and later also pass `--extcap-version=x.x`, which provides the calling Wireshark's major and minor version.
+This can be used to change behavior depending on the Wireshark version in question.
+
+.Example call for interface query
+[source,bash]
+----
+$ extcap_example.py --extcap-interfaces --extcap-version=4.0
+extcap {version=1.0}{help=Some help url}
+interface {value=example1}{display=Example interface 1 for extcap}
+interface {value=example2}{display=Example interface 2 for extcap}
+----
+
+The *version* for the extcap sentence (which may exist as many times as is needed, but only
+the last one will be used) will be used for displaying the version information of
+the extcap interface in the about dialog of Wireshark.
+
+The value for each interface will be used in subsequent calls as the interface name <iface>.
+
+Using the help argument, an interface may provide a generic help URL for the extcap
+utility.
+
+===== Ask For DLTs For Each Interface
+
+Next, the extcap binary is queried for all valid DLTs for all the interfaces returned by step 1.
+
+[source,bash]
+----
+$ extcap_example.py --extcap-dlts --extcap-interface <iface>
+----
+
+This call must print the valid DLTs for the interface specified. This call is
+made for all the interfaces and must return 0.
+
+.Example for the DLT query
+[source,bash]
+----
+$ extcap_example.py --extcap-interface IFACE --extcap-dlts
+dlt {number=147}{name=USER1}{display=Demo Implementation for Extcap}
+----
+
+A binary or script which neither provides an interface list or a DLT list will not show up in the extcap interfaces list.
+
+===== The Extcap Configuration Interface
+
+The extcap binary is next asked for the configuration of each specific interface
+
+[source,bash]
+----
+$ extcap_example.py --extcap-interface <iface> --extcap-config
+----
+
+Each interface can have custom options that are valid for this interface only.
+Those config options are specified on the command line when running the actual
+capture. To allow an end-user to specify certain options, such options may be
+provided using the extcap config argument.
+
+To share which options are available for an interface, the extcap responds to the command `--extcap-config`, which shows all the available options (aka additional command line options).
+
+Those options are used to build a configuration dialog for the interface.
+
+.Example for interface options
+[source,bash]
+----
+$ extcap_example.py --extcap-interface <iface> --extcap-config
+arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between packages}{type=integer}{range=1,15}{required=true}
+arg {number=1}{call=--message}{display=Message}{tooltip=Package message content}{placeholder=Please enter a message here ...}{type=string}
+arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package content}{type=boolflag}
+arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector}
+arg {number=4}{call=--server}{display=IP address for log server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b}
+value {arg=3}{value=if1}{display=Remote1}{default=true}
+value {arg=3}{value=if2}{display=Remote2}{default=false}
+----
+
+Now the user can click on the options and change them. They are sent to the
+extcap when the capture is launched.
+
+There are several kind of options available:
+
+[horizontal]
+File::
+A path to a file displayed as a text entry and file selector.
+
+Flag::
+A boolean value displayed as a checkbox.
+_boolflag_ for instance expects the option to be present resulting in the corresponding entry set to true or false.
+
+Selection::
+A set of fixed values displayed as a combobox, radio group, or selection list.
+Selections can be presented multiple times in the command line.
+Subsequent _value_ items must be provided in the config list.
+
+Timestamp::
+A time value displayed as a date/time editor.
+
+Value::
+A text or numeric value displayed as an entry box.
+Values are passed as a single value via the command-line call.
+
+===== The Extcap Capture Process
+
+Once the interfaces are listed and configuration is customized by the user the capture can be started.
+
+[source,bash]
+----
+$ extcap_example.py --extcap-interface <iface> [params] --capture [--extcap-capture-filter <cfilter>]
+ --fifo FIFO
+----
+
+To run the capture, the extcap must implement the `--capture`, `--extcap-capture-filter`
+and `--fifo` options.
+
+They are automatically added by Wireshark, which opens the fifo for reading.
+All the other options are automatically added to run the capture.
+The extcap interface is used like all other interfaces (meaning that capture on multiple interfaces, as well as stopping and restarting the capture is supported).
+
+[#ChCaptureExtcapWindowsShell]
+
+====== Execute A Script-based Extcap On Windows
+
+Although Windows will run batch and PowerShell scripts directly, other scripting languages require extra effort.
+In most cases this involves creating a wrapper script which runs the appropriate interpreter.
+For example, in order to run a Python-based extcap, you can create _scriptname.bat_ inside your extcap folder with the following content:
+
+[source,batch]
+----
+@echo off
+C:\Windows\py.exe C:\Path\to\my\extcap.py %*
+----
+
+==== Extcap Arguments
+
+The extcap interface provides the possibility for generating a GUI dialog to
+set and adapt settings for the extcap binary.
+
+All options must provide a number, by which they are identified.
+No number may be provided twice.
+All options must present the elements _call_ and _display_, with _call_ specifying the argument’s name on the command line and _display_ specifying the name in the GUI.
+
+Additionally _tooltip_ and _placeholder_ may be provided, which will give the user information about what to enter into this field.
+
+These options do have types, for which the following types are being supported:
+
+[horizontal]
+_integer_, _unsigned_, _long_, _double_::
+This provides a field for entering a numeric value of the given data type.
+A _default_ value may be provided, as well as a _range_.
++
+[source,python]
+----
+arg {number=0}{call=--delay}{display=Time delay}{tooltip=Time delay between packages}{type=integer}{range=1,15}{default=0}
+----
+
+_string_::
+This provides a field for entering a text value.
++
+[source,python]
+----
+arg {number=1}{call=--server}{display=IP Address}{tooltip=IP Address for log server}{type=string}{validation=\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b}
+----
++
+`validation` allows to provide a regular expression string, which is used to check the user input for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for \b)
+
+_password_::
+Lets the user provide a masked string to the capture.
+Password strings are not saved with other capture settings.
++
+[source,python]
+----
+arg {number=0}{call=--password}{display=The user password}{tooltip=The password for the connection}{type=password}
+----
+
+_boolean_, _boolflag_::
+This provides the possibility to set a true/false value.
+_boolflag_ values will only appear in the command line if set to true, otherwise they will not be added to the command-line call for the extcap interface.
++
+[source,python]
+----
+arg {number=2}{call=--verify}{display=Verify}{tooltip=Verify package content}{type=boolflag}
+----
+
+_fileselect_::
+Lets the user provide a file path.
+If _mustexist=true_ is provided, the GUI shows the user a dialog for selecting a file.
+When _mustexist=false_ is used, the GUI shows the user a file dialog for saving a file.
++
+[source,python]
+----
+arg {number=3}{call=--logfile}{display=Logfile}{tooltip=A file for log messages}{type=fileselect}{mustexist=false}
+----
+
+_selector_, __editselector__, _radio_, _multicheck_::
+Option fields where the user may choose from one or more options.
+If _parent_ is provided for the value items, the option fields for _multicheck_ and _selector_ are presented in a tree-like structure.
+_selector_ and _radio_ values must present a default value, which will be the value provided to the extcap binary for this argument.
+_editselector_ option fields let the user select from a list of items or enter a custom value.
++
+[source,python]
+----
+arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector}
+value {arg=3}{value=if1}{display=Remote1}{default=true}
+value {arg=3}{value=if2}{display=Remote2}{default=false}
+----
+
+===== Reload A Selector
+
+A selector may be reloaded from the configuration dialog of the extcap application within Wireshark. With the reload argument (defaults to false), the entry can be marked as reloadable.
+
+[source,python]
+----
+arg {number=3}{call=--remote}{display=Remote Channel}{tooltip=Remote Channel Selector}{type=selector}{reload=true}{placeholder=Load interfaces...}
+----
+
+After this has been defined, the user will get a button displayed in the configuration dialog for this extcap application, with the text "Load interfaces..." in this case, and a generic "Reload" text if no text has been provided.
+
+The extcap utility is then called again with all filled out arguments and the additional parameter `--extcap-reload-option <option_name>`. It is expected to return a value section for this option, as it would during normal configuration. The provided option list is then presented as the selection, a previous selected option will be reselected if applicable.
+
+===== Validation Of Arguments
+
+Arguments may be set with `{required=true}` which enforces a value being provided, before
+a capture can be started using the extcap options dialog. This is not being checked, if
+the extcap is started via a simple double-click. The necessary fields are marked for the
+customer, to ensure a visibility for the end customer of the required argument.
+
+Additionally text and number arguments may also be checked using a regular expression,
+which is provided using the validation attribute (see example above). The syntax for
+such a check is the same as for Qt RegExp classes. This feature is only active in the
+Qt version of Wireshark.
+
+
+==== Toolbar Controls
+
+An extcap utility can provide configuration for controls to use in an interface toolbar.
+These controls are bidirectional and can be used to control the extcap utility while
+capturing.
+
+This is useful in scenarios where configuration can be done based on findings in the
+capture process, setting temporary values or give other inputs without restarting the
+current capture.
+
+.Example of interface definition with toolbar controls
+[source,bash]
+----
+$ extcap_example.py --extcap-interfaces
+extcap {version=1.0}{display=Example extcap interface}
+interface {value=example1}{display=Example interface 1 for extcap}
+interface {value=example2}{display=Example interface 2 for extcap}
+control {number=0}{type=string}{display=Message}{tooltip=Package message content. Must start with a capital letter.}{validation=[A-Z]+}{required=true}
+control {number=1}{type=selector}{display=Time delay}{tooltip=Time delay between packages}
+control {number=2}{type=boolean}{display=Verify}{default=true}{tooltip=Verify package content}
+control {number=3}{type=button}{display=Turn on}{tooltip=Turn on or off}
+control {number=4}{type=button}{role=logger}{display=Log}{tooltip=Show capture log}
+value {control=1}{value=1}{display=1 sec}
+value {control=1}{value=2}{display=2 sec}{default=true}
+----
+
+All controls will be presented as GUI elements in a toolbar specific to the extcap
+utility. The extcap must not rely on using those controls (they are optional) because
+of other capturing tools not using GUI (e.g. tshark, tfshark).
+
+
+===== Controls
+
+The controls are similar to the _arguments_, but without the _call_ element.
+All controls may be given a default value at startup and most can be changed during capture, both by the extcap and the user (depending on the type of control).
+
+All controls must provide a _number_, by which they are identified.
+No _number_ may be provided twice.
+All options must present the elements _type_ and _display_, where _type_ provides the type of control to add to the toolbar and _display_ providing the name in the GUI.
+
+Additionally _tooltip_ and _placeholder_ may be provided, which will give the user information about what to enter into this field.
+
+All controls, except from the logger, help and restore buttons, may be disabled
+(and enabled) in GUI by the extcap during capture. This can be because of set-once
+operations, or operations which takes some time to complete.
+
+All control values which are changed by the user (not equal to the default value) will
+be sent to the extcap utility when starting a capture. The extcap utility may choose
+to discard initial values and set new values, depending on implementation.
+
+These __type__s are defined as controls:
+
+[horizontal]
+_boolean_::
+This provides a checkbox which lets the user set a true/false value.
++
+The extcap utility can set a default value at startup, and can change (set) and receive value changes while capturing. When starting a capture the GUI will send the value if different from the default value.
++
+The payload is one byte with binary value 0 or 1.
++
+Valid Commands: Set value, Enable, Disable.
+
+_button_:: This provides a button with different __role__s:
+
+_control_::::
+This button will send a signal when pressed. This is the default if no role is configured.
+The button is only enabled when capturing.
++
+The extcap utility can set the button text at startup, and can change (set) the button text and receive button press signals while capturing. The button is disabled and the button text is restored to the default text when not capturing.
++
+The payload is either the button text or empty (signal).
++
+Valid Commands: Set value, Enable, Disable.
+
+_logger_::::
+This provides a logger mechanism where the extcap utility can send log entries to be presented in a log window.
+This communication is unidirectional.
++
+The payload is the log entry, and should be ended with a newline. Maximum length is 65535 bytes.
++
+Valid Commands: Set log entry, Add log entry.
++
+The Set command will clear the log before adding the entry.
+
+_help_::::
+This button opens the help page, if configured.
+This role has no controls and will not be used in communication.
++
+Valid Commands: None.
+
+_restore_::::
+This button will restore all control values to default.
+This role has no controls and will not be used in communication. The button is only enabled when not capturing.
++
+Valid Commands: None.
+
+_selector_::
+This provides a combo box with fixed values which can be selected.
++
+The extcap utility can set default values at startup, and add and remove values and receive change in value selection while capturing. When starting a capture the GUI will send the value if different from the default value.
++
+The payload is a string with the value, and optionally a string with a display value if this is different from the value. This two string values are separated by a null character.
++
+Valid Commands: Set selected value, Add value, Remove value, Enable, Disable.
++
+If value is empty the Remove command will remove all entries.
+
+_string_::
+This provides a text edit line with the possibility to set a string or any value which can be represented in a string (integer, float, date, etc.).
++
+The extcap utility can set a default string value at startup, and can change (set) and receive value changes while capturing. When starting a capture the GUI will send the value if different from the default value.
++
+The payload is a string with the value. Maximum length is 32767 bytes.
++
+Valid Commands for control: Set value, Enable, Disable.
++
+The element VALIDATION allows to provide a regular expression string, which is used to check the user input for validity beyond normal data type or range checks. Back-slashes must be escaped (as in \\b for \b).
+
+===== Messages
+
+In addition to the controls it’s possible to send a single message from the extcap
+utility to the user. This message can be put in the status bar or displayed in a
+information, warning or error dialog which must be accepted by the user. This message
+does not use the NUMBER argument so this can have any value.
+
+====== Control Protocol
+
+The protocol used to communicate over the control pipes has a fixed size header of
+6 bytes and a payload with 0 - 65535 bytes.
+
+.Control packet:
+[cols="^m", width="50%"]
+|===
+|Sync Pipe Indication (1 byte)
+|Message Length +
+ (3 bytes network order)
+|Control Number (1 byte)
+|Command (1 byte)
+|Payload +
+ (0 - 65535 bytes)
+|===
+
+.Sync Pipe Indication
+The common sync pipe indication. This protocol uses the value “T”.
+
+.Message Length
+Payload length + 2 bytes for control number and command.
+
+.Control Number
+Unique number to identify the control. This number also gives the order of the controls in the interface toolbar.
+
+.Commands and application for controls
+[cols="1,2,3"]
+|===
+|Command Byte|Command Name|Control type
+
+|0 |Initialized |none
+|1 |Set |boolean / button / logger / selector / string
+|2 |Add |logger / selector
+|3 |Remove |selector
+|4 |Enable |boolean / button / selector / string
+|5 |Disable |boolean / button / selector / string
+|6 |Statusbar message |none
+|7 |Information message |none
+|8 |Warning message |none
+|9 |Error message |none
+|===
+
+The `Initialized` command will be sent from the GUI to the extcap utility when all
+user changed control values are sent after starting a capture. This is an indication
+that the GUI is ready to receive control values.
+
+The GUI will only send `Initialized` and `Set` commands. The extcap utility shall not
+send the `Initialized` command.
+
+Messages with unknown control number or command will be silently ignored.
+
+
+// End of WSDG Chapter Capture