Ask Your Question
0

extcap capture filter input check

asked 2021-04-12 08:17:04 +0000

thediveo gravatar image

As an author of a extcap plugin I often get asked how to set a capture filter. Of course, there's Wireshark's own interface capture filter configuration dialog hidden in the main UI.

Unfortunately, when user go on capture, they have already opened my extcap plugin's configuration dialog because they need to select some things before an external capture can be started at all; that's due to the nature of the capture targets supported by my plugin.

  1. therefore, I would like to add a capture filter input to the configuration of my extcap plugin to help users. Is there any support beyond a plain "text" input when it comes to capture filters that does the syntax check like Wireshark's integrated UI does?

  2. the capture service to which my extcap plugin connects also features a browser-based UI and a one-click method to transfer the necessary capture parameters into Wireshark and the extcap plugin. Is there a capture filter syntax checker available for Javascript?

edit retag flag offensive close merge delete

Comments

You might also post to the dev mailing list, see here.

grahamb gravatar imagegrahamb ( 2021-04-12 08:29:51 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-04-12 15:32:06 +0000

cmaynard gravatar image

Is there any support beyond a plain "text" input when it comes to capture filters that does the syntax check like Wireshark's integrated UI does?

You can use dumpcap with the -d option to, "Dump the code generated for the capture filter in a human-readable form, and exit."

For example, on Windows:

  1. A valid capture filter:
    dumpcap.exe -f "icmp" -d 2>&1 | find "Invalid" > nul
    echo %errorlevel%
    1
  1. An invalid capture filter:
    dumpcap.exe -f "foo" -d 2>&1 | find "Invalid" > nul
    echo %errorlevel%
    0

On Linux:

  1. A valid capture filter:
    dumpcap -f "icmp" -d 2>&1 | grep "Invalid" > /dev/null
    echo $?
    1
  1. An invalid capture filter:
    dumpcap -f "foo" -d 2>&1 | grep "Invalid" > /dev/null
    echo $?
    0

I don't know how well that solution could be integrated with your extcap though.

edit flag offensive delete link more

Comments

The catch here is that extcap UI dialogs are handled and processed by Wireshark, not by any extcap plugin ... except for after the fact, when the user presses Start or Save. And then this is almost the same as sending the filter string to the capture server with its own dumpcap and then wait and see what's happening.

thediveo gravatar imagethediveo ( 2021-04-12 15:39:31 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2021-04-12 08:17:04 +0000

Seen: 266 times

Last updated: Apr 12 '21