I am writing a extcap plugin for Wireshark (Windows version). The documentation
on how Wireshark stops a extcap capture is a bit sketchy, but it seems it
simply terminates the extcap plugin.
If I run the extcap binary standalone, and stops it with Ctrl+C, everything
works as expected. The written pcapng file contains all blocks. But when
Wireshark runs the extcap binary, the last block, the "interface statistics
block", never shows up in the Wireshark capture.
Is this a bug in Wireshark? Does Wireshark ignore any additional blocks in the
pcapng fifo after it has sent the signal to kill the extcap binary?
The essential parts of the extcap plugin looks like this:
static volatile int keepRunning = 1;
void intHandler(int dummy) {
keepRunning = 0;
}
int main(int argc, char *argv[])
{
... Parse arguments ...
fp = fopen (pcOutputFilename, "wb");
fwrite( &sSHB, sizeof(sSHB), 1, fp ); // write section header block to
pcapng file.
fwrite( &sIDB, sizeof(sIDB), 1, fp ); // write interface description block
to pcapng file.
signal(SIGINT, intHandler);
signal(SIGTERM, intHandler);
do{
... Capture frames and write to fp ...
}
while( keepRunning );
fwrite( &sISB, sizeof(sISB), 1, fp ); // write interface statistics block to
pcapng file.
fclose(fp);
}
Regards,
Timmy Brolin
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
