On Sun, Mar 21, 2021 at 1:21 PM Martin Mathieson via Wireshark-dev
<wireshark-dev@xxxxxxxxxxxxx> wrote:
> Can an extcap program write to a wiretap-supported file format other than pcap or pcapng? A quick test (hack to file preamble and frames in extcap_example.py) suggests not..
> Has it to do with synchronising whole frames being read at the wireshark end of the pipe?
Currently extcap is inherently bound to pcap. Currently extcaps
mention their DLT that determines link layer header type (as defined
at [1]) when they are being called with --extcap-dlts argument. When
you capture from extcap source, it is dumpcap that reads the pcap
stream that is written to the pipe by extcap.
To make extcap support different file types would would need to:
* extend extcap interface with a method to let Wireshark know that
the extcap in question does not output pcap data
* make dumpcap capable of at least passing the data from the pipe to Wireshark
[1] https://www.tcpdump.org/linktypes.html
