Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
Proposed solution I have investigated this in more depth and found that Wireshark simply does not do any kind of graceful termination of extcaps. It always kills extcaps forcefully, which causes loss of data on the capture pipe. Particularly the pcapng “Interface Statistics Block” is always lost, which probably is why none of the built-in extcaps in Wireshark supports the Interface Statistics block at the moment: They can’t. Win32 offers very few methods for graceful termination of processes. The most recommended standard method to my knowledge is to use the WM_CLOSE message. Which is what I have implemented here: https://gitlab.com/wireshark/wireshark/-/merge_requests/2063 Regards, Timmy Brolin From: Wireshark-dev On Behalf Of Timmy Brolin Sent: den 24 november 2020 11:07 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin? > Windows Console applications have a handler to respond to console events, the > default handler simply exits the process. Sending the console events is a > little tricky, but there are workarounds, see here: > https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows. I am working on a extcap, I only need to know what kind of event to listen to from Wireshark. > Without having done any of this, I imagine the extcap "controller" would send > a console event to indicate the extcap should close the capture, e.g. the > Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to > catch the event, do whatever it wishes before exiting. Making the extcap > "controller" keep the pipe open for the appropriate amount of time might also > require work. Reading through capchild/capture_sync.c I came across this function: /* tell the child through the signal pipe that we want to quit the capture */ static void signal_pipe_capquit_to_child(capture_session *cap_session) { const char quit_msg[] = "QUIT"; int ret; g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child"); /* it doesn't matter *what* we send here, the first byte will stop the capture */ /* simply sending a "QUIT" string */ /*pipe_write_block(cap_session->signal_pipe_write_fd, SP_QUIT, quit_msg);*/ ret = ws_write(cap_session->signal_pipe_write_fd, quit_msg, sizeof quit_msg); if(ret == -1) { g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING, "signal_pipe_capquit_to_child: %d header: error %s", cap_session->signal_pipe_write_fd, g_strerror(errno)); } } It seems wireshark is supposed to send a “QUIT” string to extcap to gracefully stop a capture, 500ms before killing extcap? I have tried having the extcap listening to “kbhit()” for stdin input, but I get nothing. Is this “QUIT” message from Wireshark not piped to extcap stdin? Or am I reading the code completely wrong? On Tue, 24 Nov 2020 at 08:44, Timmy Brolin mailto:t...@hms.se>> wrote: > > There seems to exist several alternative ways of doing it in Windows. > > > > Such as sending WM_QUIT or WM_CLOSE on the message queue, > > This assumes that the program you're trying to tell to terminate *has* a > message queue to which it pays attention. > > Extcap programs are character-mode (console) programs, not windows programs; > unless there's some hidden thread that's listening to a Windows message queue > in those programs, they won't see that message. Well, since I am writing the extcap, I can certainly add a Windows message queue, if that is what it takes to make it work properly with Wireshark. I have made some tests with this, but so far I have not seen a WM_CLOSE or WM_QUIT message on the queue. > > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler(). > > According to a comment in sig_pipe_kill() in capchild/capture_sync.c: > > so that might not work either. So is there no way for an extcap to gracefully end a capture? And thereby no way to for an extcap to send a Interface Statistics Block to Wireshark? I would like for the extcap to be able to report number of dropped packets to wireshark. According to the pcapng specification, this can be done either via the "epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" or " isb_osdrop" options in the Interface Statistics block. Out of these three options, Wireshark only seems to support the "isb_ifdrop" option, so the Interface Statistics Block is the only way to report dropped packets. -- Graham Bloice ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
> Windows Console applications have a handler to respond to console events, the > default handler simply exits the process. Sending the console events is a > little tricky, but there are workarounds, see here: > https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows. I am working on a extcap, I only need to know what kind of event to listen to from Wireshark. > Without having done any of this, I imagine the extcap "controller" would send > a console event to indicate the extcap should close the capture, e.g. the > Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to > catch the event, do whatever it wishes before exiting. Making the extcap > "controller" keep the pipe open for the appropriate amount of time might also > require work. Reading through capchild/capture_sync.c I came across this function: /* tell the child through the signal pipe that we want to quit the capture */ static void signal_pipe_capquit_to_child(capture_session *cap_session) { const char quit_msg[] = "QUIT"; int ret; g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG, "signal_pipe_capquit_to_child"); /* it doesn't matter *what* we send here, the first byte will stop the capture */ /* simply sending a "QUIT" string */ /*pipe_write_block(cap_session->signal_pipe_write_fd, SP_QUIT, quit_msg);*/ ret = ws_write(cap_session->signal_pipe_write_fd, quit_msg, sizeof quit_msg); if(ret == -1) { g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING, "signal_pipe_capquit_to_child: %d header: error %s", cap_session->signal_pipe_write_fd, g_strerror(errno)); } } It seems wireshark is supposed to send a “QUIT” string to extcap to gracefully stop a capture, 500ms before killing extcap? I have tried having the extcap listening to “kbhit()” for stdin input, but I get nothing. Is this “QUIT” message from Wireshark not piped to extcap stdin? Or am I reading the code completely wrong? On Tue, 24 Nov 2020 at 08:44, Timmy Brolin mailto:t...@hms.se>> wrote: > > There seems to exist several alternative ways of doing it in Windows. > > > > Such as sending WM_QUIT or WM_CLOSE on the message queue, > > This assumes that the program you're trying to tell to terminate *has* a > message queue to which it pays attention. > > Extcap programs are character-mode (console) programs, not windows programs; > unless there's some hidden thread that's listening to a Windows message queue > in those programs, they won't see that message. Well, since I am writing the extcap, I can certainly add a Windows message queue, if that is what it takes to make it work properly with Wireshark. I have made some tests with this, but so far I have not seen a WM_CLOSE or WM_QUIT message on the queue. > > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler(). > > According to a comment in sig_pipe_kill() in capchild/capture_sync.c: > > so that might not work either. So is there no way for an extcap to gracefully end a capture? And thereby no way to for an extcap to send a Interface Statistics Block to Wireshark? I would like for the extcap to be able to report number of dropped packets to wireshark. According to the pcapng specification, this can be done either via the "epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" or " isb_osdrop" options in the Interface Statistics block. Out of these three options, Wireshark only seems to support the "isb_ifdrop" option, so the Interface Statistics Block is the only way to report dropped packets. -- Graham Bloice ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
Windows Console applications have a handler to respond to console events, the default handler simply exits the process. Sending the console events is a little tricky, but there are workarounds, see here: https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows . Without having done any of this, I imagine the extcap "controller" would send a console event to indicate the extcap should close the capture, e.g. the Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to catch the event, do whatever it wishes before exiting. Making the extcap "controller" keep the pipe open for the appropriate amount of time might also require work. On Tue, 24 Nov 2020 at 08:44, Timmy Brolin wrote: > > > There seems to exist several alternative ways of doing it in Windows. > > > > > > Such as sending WM_QUIT or WM_CLOSE on the message queue, > > > > This assumes that the program you're trying to tell to terminate *has* a > message queue to which it pays attention. > > > > Extcap programs are character-mode (console) programs, not windows > programs; unless there's some hidden thread that's listening to a Windows > message queue in those programs, they won't see that message. > > Well, since I am writing the extcap, I can certainly add a Windows message > queue, if that is what it takes to make it work properly with Wireshark. > I have made some tests with this, but so far I have not seen a WM_CLOSE or > WM_QUIT message on the queue. > > > > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler(). > > > > According to a comment in sig_pipe_kill() in capchild/capture_sync.c: > > > > so that might not work either. > > So is there no way for an extcap to gracefully end a capture? > And thereby no way to for an extcap to send a Interface Statistics Block > to Wireshark? > > > I would like for the extcap to be able to report number of dropped packets > to wireshark. > According to the pcapng specification, this can be done either via the > "epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" > or " isb_osdrop" options in the Interface Statistics block. > Out of these three options, Wireshark only seems to support the > "isb_ifdrop" option, so the Interface Statistics Block is the only way to > report dropped packets. > > -- Graham Bloice ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
> > There seems to exist several alternative ways of doing it in Windows. > > > > Such as sending WM_QUIT or WM_CLOSE on the message queue, > > This assumes that the program you're trying to tell to terminate *has* a > message queue to which it pays attention. > > Extcap programs are character-mode (console) programs, not windows programs; > unless there's some hidden thread that's listening to a Windows message queue > in those programs, they won't see that message. Well, since I am writing the extcap, I can certainly add a Windows message queue, if that is what it takes to make it work properly with Wireshark. I have made some tests with this, but so far I have not seen a WM_CLOSE or WM_QUIT message on the queue. > > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler(). > > According to a comment in sig_pipe_kill() in capchild/capture_sync.c: > > so that might not work either. So is there no way for an extcap to gracefully end a capture? And thereby no way to for an extcap to send a Interface Statistics Block to Wireshark? I would like for the extcap to be able to report number of dropped packets to wireshark. According to the pcapng specification, this can be done either via the "epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" or " isb_osdrop" options in the Interface Statistics block. Out of these three options, Wireshark only seems to support the "isb_ifdrop" option, so the Interface Statistics Block is the only way to report dropped packets. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
On Nov 23, 2020, at 7:09 AM, Timmy Brolin wrote: > Reading up on it a bit, turns out there is no such thing as SIGTERM in > Windows. Correct. > There seems to exist several alternative ways of doing it in Windows. > > Such as sending WM_QUIT or WM_CLOSE on the message queue, This assumes that the program you're trying to tell to terminate *has* a message queue to which it pays attention. Extcap programs are character-mode (console) programs, not windows programs; unless there's some hidden thread that's listening to a Windows message queue in those programs, they won't see that message. > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler(). According to a comment in sig_pipe_kill() in capchild/capture_sync.c: /* Remark: This is not the preferred method of closing a process! * the clean way would be getting the process id of the child process, * then getting window handle hWnd of that process (using EnumChildWind$ * and then do a SendMessage(hWnd, WM_CLOSE, 0, 0) * * Unfortunately, I don't know how to get the process id from the * handle. OpenProcess will get an handle (not a window handle) * from the process ID; it will not get a window handle from the * process ID. (How could it? A process can have more than one * window. For that matter, a process might have *no* windows, * as a process running dumpcap, the normal child process program, * probably does.) * * Hint: GenerateConsoleCtrlEvent() will only work if both processes are * running in the same console; that's not necessarily the case for * us, as we might not be running in a console. * And this also will require to have the process id. */ so that might not work either. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
The signal handler is called when extcap is executed stand-alone, and killed with Ctrl+C (SIGINT). But the signal handler is not called when Wireshark executes the extcap. I have not tried the code in unix. I have no unix machine around. Reading up on it a bit, turns out there is no such thing as SIGTERM in Windows. Sources: https://maruel.ca/post/python_windows_signal/ https://stackoverflow.com/questions/38300117/why-doesnt-sigterm-works-on-windows There seems to exist several alternative ways of doing it in Windows. Such as sending WM_QUIT or WM_CLOSE on the message queue, or CTRL_BREAK_EVENT via SetConsoleCtrlHandler(). Or using SIGINT instead. I guess Wireshark is in fact not using SIGTERM on windows, since that seems to be impossible. So the question is, which of the other methods does Wireshark use to stop the extcap on Windows? From: Wireshark-dev On Behalf Of Dario Lombardo Sent: den 23 november 2020 14:31 To: Developer support list for Wireshark Subject: Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin? Indeed the used signal to terminate the extcap is SIGTERM. Is your signal handler called? Did you run a debugger to see which signal is interrupting your code? Did you try your code on unix? On Mon, Nov 23, 2020 at 10:31 AM Timmy Brolin mailto:t...@hms.se>> wrote: I am writing a extcap plugin for Wireshark (Windows version). The documentation on how Wireshark stops a extcap capture is a bit sketchy, but it seems it simply terminates the extcap plugin. If I run the extcap binary standalone, and stops it with Ctrl+C, everything works as expected. The written pcapng file contains all blocks. But when Wireshark runs the extcap binary, the last block, the "interface statistics block", never shows up in the Wireshark capture. Is this a bug in Wireshark? Does Wireshark ignore any additional blocks in the pcapng fifo after it has sent the signal to kill the extcap binary? The essential parts of the extcap plugin looks like this: static volatile int keepRunning = 1; void intHandler(int dummy) { keepRunning = 0; } int main(int argc, char *argv[]) { ... Parse arguments ... fp = fopen (pcOutputFilename, "wb"); fwrite( &sSHB, sizeof(sSHB), 1, fp ); // write section header block to pcapng file. fwrite( &sIDB, sizeof(sIDB), 1, fp ); // write interface description block to pcapng file. signal(SIGINT, intHandler); signal(SIGTERM, intHandler); do{ ... Capture frames and write to fp ... } while( keepRunning ); fwrite( &sISB, sizeof(sISB), 1, fp ); // write interface statistics block to pcapng file. fclose(fp); } Regards, Timmy Brolin ___ Sent via:Wireshark-dev mailing list mailto:wireshark-dev@wireshark.org>> Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org<mailto:wireshark-dev-requ...@wireshark.org>?subject=unsubscribe -- Naima is online. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
Re: [Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
Indeed the used signal to terminate the extcap is SIGTERM. Is your signal handler called? Did you run a debugger to see which signal is interrupting your code? Did you try your code on unix? On Mon, Nov 23, 2020 at 10:31 AM Timmy Brolin wrote: > I am writing a extcap plugin for Wireshark (Windows version). The > documentation on how Wireshark stops a extcap capture is a bit sketchy, but > it seems it simply terminates the extcap plugin. > > If I run the extcap binary standalone, and stops it with Ctrl+C, > everything works as expected. The written pcapng file contains all blocks. > But when Wireshark runs the extcap binary, the last block, the "interface > statistics block", never shows up in the Wireshark capture. > > Is this a bug in Wireshark? Does Wireshark ignore any additional blocks in > the pcapng fifo after it has sent the signal to kill the extcap binary? > > The essential parts of the extcap plugin looks like this: > > > > static volatile int keepRunning = 1; > > void intHandler(int dummy) { > > keepRunning = 0; > > } > > > > int main(int argc, char *argv[]) > > { > >... Parse arguments ... > > > >fp = fopen (pcOutputFilename, "wb"); > >fwrite( &sSHB, sizeof(sSHB), 1, fp ); // write section header block to > pcapng file. > >fwrite( &sIDB, sizeof(sIDB), 1, fp ); // write interface description block > to pcapng file. > > > >signal(SIGINT, intHandler); > >signal(SIGTERM, intHandler); > > > >do{ > > ... Capture frames and write to fp ... > >} > >while( keepRunning ); > > > >fwrite( &sISB, sizeof(sISB), 1, fp ); // write interface statistics block > to pcapng file. > > > >fclose(fp); > > } > > > > > > > > Regards, > > Timmy Brolin > > > ___ > Sent via:Wireshark-dev mailing list > Archives:https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org > ?subject=unsubscribe -- Naima is online. ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
[Wireshark-dev] How to properly finalize capture in a Wireshark extcap plugin?
I am writing a extcap plugin for Wireshark (Windows version). The documentation on how Wireshark stops a extcap capture is a bit sketchy, but it seems it simply terminates the extcap plugin. If I run the extcap binary standalone, and stops it with Ctrl+C, everything works as expected. The written pcapng file contains all blocks. But when Wireshark runs the extcap binary, the last block, the "interface statistics block", never shows up in the Wireshark capture. Is this a bug in Wireshark? Does Wireshark ignore any additional blocks in the pcapng fifo after it has sent the signal to kill the extcap binary? The essential parts of the extcap plugin looks like this: static volatile int keepRunning = 1; void intHandler(int dummy) { keepRunning = 0; } int main(int argc, char *argv[]) { ... Parse arguments ... fp = fopen (pcOutputFilename, "wb"); fwrite( &sSHB, sizeof(sSHB), 1, fp ); // write section header block to pcapng file. fwrite( &sIDB, sizeof(sIDB), 1, fp ); // write interface description block to pcapng file. signal(SIGINT, intHandler); signal(SIGTERM, intHandler); do{ ... Capture frames and write to fp ... } while( keepRunning ); fwrite( &sISB, sizeof(sISB), 1, fp ); // write interface statistics block to pcapng file. fclose(fp); } Regards, Timmy Brolin ___ Sent via:Wireshark-dev mailing list Archives:https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe