> Windows Console applications have a handler to respond to console events, the
> default handler simply exits the process. Sending the console events is a
> little tricky, but there are workarounds, see here:
> https://blog.codetitans.pl/post/sending-ctrl-c-signal-to-another-application-on-windows.
I am working on a extcap, I only need to know what kind of event to listen to
from Wireshark.
> Without having done any of this, I imagine the extcap "controller" would send
> a console event to indicate the extcap should close the capture, e.g. the
> Ctrl + C or Ctrl + Break events, and if the extcap process has a handler to
> catch the event, do whatever it wishes before exiting. Making the extcap
> "controller" keep the pipe open for the appropriate amount of time might also
> require work.
Reading through capchild/capture_sync.c I came across this function:
/* tell the child through the signal pipe that we want to quit the capture */
static void
signal_pipe_capquit_to_child(capture_session *cap_session)
{
const char quit_msg[] = "QUIT";
int ret;
g_log(LOG_DOMAIN_CAPTURE, G_LOG_LEVEL_DEBUG,
"signal_pipe_capquit_to_child");
/* it doesn't matter *what* we send here, the first byte will stop the
capture */
/* simply sending a "QUIT" string */
/*pipe_write_block(cap_session->signal_pipe_write_fd, SP_QUIT, quit_msg);*/
ret = ws_write(cap_session->signal_pipe_write_fd, quit_msg, sizeof
quit_msg);
if(ret == -1) {
g_log(LOG_DOMAIN_CAPTURE_CHILD, G_LOG_LEVEL_WARNING,
"signal_pipe_capquit_to_child: %d header: error %s",
cap_session->signal_pipe_write_fd, g_strerror(errno));
}
}
It seems wireshark is supposed to send a “QUIT” string to extcap to gracefully
stop a capture, 500ms before killing extcap?
I have tried having the extcap listening to “kbhit()” for stdin input, but I
get nothing.
Is this “QUIT” message from Wireshark not piped to extcap stdin?
Or am I reading the code completely wrong?
On Tue, 24 Nov 2020 at 08:44, Timmy Brolin <t...@hms.se<mailto:t...@hms.se>>
wrote:
> > There seems to exist several alternative ways of doing it in Windows.
> >
> > Such as sending WM_QUIT or WM_CLOSE on the message queue,
>
> This assumes that the program you're trying to tell to terminate *has* a
> message queue to which it pays attention.
>
> Extcap programs are character-mode (console) programs, not windows programs;
> unless there's some hidden thread that's listening to a Windows message queue
> in those programs, they won't see that message.
Well, since I am writing the extcap, I can certainly add a Windows message
queue, if that is what it takes to make it work properly with Wireshark.
I have made some tests with this, but so far I have not seen a WM_CLOSE or
WM_QUIT message on the queue.
> > or CTRL_BREAK_EVENT via SetConsoleCtrlHandler().
>
> According to a comment in sig_pipe_kill() in capchild/capture_sync.c:
>
> so that might not work either.
So is there no way for an extcap to gracefully end a capture?
And thereby no way to for an extcap to send a Interface Statistics Block to
Wireshark?
I would like for the extcap to be able to report number of dropped packets to
wireshark.
According to the pcapng specification, this can be done either via the
"epb_dropcount" option in the Enhanced Packet Block or via the "isb_ifdrop" or
" isb_osdrop" options in the Interface Statistics block.
Out of these three options, Wireshark only seems to support the "isb_ifdrop"
option, so the Interface Statistics Block is the only way to report dropped
packets.
--
Graham Bloice
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org>
Archives: https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
