While correct as an answer, the main Limitation here is dumpcap. You would have to implement a mechanism to let dumpcap know which format to use for the internal pipe to the extcap interrace. DLT could be that. Pcapng has been on the wishlist for a very long time as a format
Kind regards Roland > Am 21.03.2021 um 15:53 schrieb Tomasz Moń <deso...@gmail.com>: > > On Sun, Mar 21, 2021 at 1:21 PM Martin Mathieson via Wireshark-dev > <wireshark-dev@wireshark.org> wrote: >> Can an extcap program write to a wiretap-supported file format other than >> pcap or pcapng? A quick test (hack to file preamble and frames in >> extcap_example.py) suggests not.. >> Has it to do with synchronising whole frames being read at the wireshark end >> of the pipe? > > Currently extcap is inherently bound to pcap. Currently extcaps > mention their DLT that determines link layer header type (as defined > at [1]) when they are being called with --extcap-dlts argument. When > you capture from extcap source, it is dumpcap that reads the pcap > stream that is written to the pipe by extcap. > > To make extcap support different file types would would need to: > * extend extcap interface with a method to let Wireshark know that > the extcap in question does not output pcap data > * make dumpcap capable of at least passing the data from the pipe to > Wireshark > > [1] https://www.tcpdump.org/linktypes.html > ___________________________________________________________________________ > Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> > Archives: https://www.wireshark.org/lists/wireshark-dev > Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev > mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev@wireshark.org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-requ...@wireshark.org?subject=unsubscribe
