extcap(4) — Linux manual page

NAME | DESCRIPTION | GRAMMAR ELEMENTS | EXAMPLES | TABLE FIELD | SECURITY CONSIDERATIONS | SEE ALSO | NOTES

EXTCAP(4)                                                       EXTCAP(4)

NAME         top

       extcap - The external capture interface

DESCRIPTION         top

       The extcap (external capture) interface is a versatile plugin
       interface that allows external binaries to act as capture
       interfaces directly in Wireshark. It is used in scenarios, where
       the source of the capture is not a traditional capture model (live
       capture from an interface, from a pipe, from a file, etc). The
       typical example is connecting esoteric hardware of some kind to
       the main Wireshark application.

       Without extcap, a capture can always be achieved by directly
       writing to a capture file:

           the-esoteric-binary --the-strange-flag --interface=stream1 --file dumpfile.pcap &
           wireshark dumpfile.pcap

       but the extcap interface allows for such a connection to be easily
       established and configured using the Wireshark GUI.

       The extcap subsystem is made of multiple extcap binaries that are
       automatically called by the GUI in a row. In the following
       chapters we will refer to them as "the extcaps".

       Extcaps may be any binary or script within the extcap/wireshark or
       extcap/stratoshark directories. Please note that scripts need to
       be executable without prefacing a script interpreter before the
       call.

       WINDOWS USERS: Because of restrictions directly calling the script
       may not always work. In such a case, a batch file may be provided,
       which then in turn executes the script. Please refer to
       doc/extcap_example.py for more information.

       When Wireshark launches an extcap, it automatically adds its
       installation path (normally C:\Program Files\Wireshark\) to the
       DLL search path so that the extcap library dependencies can be
       found (it is not designed to be launched by hand). This is done on
       purpose. There should only be extcap programs (executables, Python
       scripts, ...) in the extcap folder to reduce the startup time and
       not have Wireshark trying to execute other file types.

GRAMMAR ELEMENTS         top

       Grammar elements:

       arg (options)
           argument for CLI calling

       number
           Reference # of argument for other values, display order

       call
           Literal argument to call (--call=...)

       display
           Displayed name

       default
           Default value, in proper form for type

       range
           Range of valid values for UI checking (min,max) in proper form

       type

           Argument type for UI filtering for raw, or UI type for
           selector:

               integer
               unsigned
               long (may include scientific / special notation)
               double
               string (display a textbox)
               selector (display selector table, all values as strings)
               editselector (selector table which can be overridden, all values as strings)
               boolean (display checkbox)
               booleanflag (display checkbox)
               radio (display group of radio buttons with provided values, all values as strings)
               fileselect (display a dialog to select a file from the filesystem, value as string)
               multicheck (display a textbox for selecting multiple options, values as strings)
               table (display a table that is populated by the user, selections can be configured, values as commandlines arguments)
               password (display a textbox with masked text)
               timestamp (display a calendar)

       value (options)

               Values for argument selection
               arg     Argument # this value applies to

EXAMPLES         top

       Example 1:

           arg {number=0}{call=--channel}{display=Wi-Fi Channel}{type=integer}{required=true}
           arg {number=1}{call=--chanflags}{display=Channel Flags}{type=radio}
           arg {number=2}{call=--interface}{display=Interface}{type=selector}
           value {arg=0}{range=1,11}
           value {arg=1}{value=ht40p}{display=HT40+}
           value {arg=1}{value=ht40m}{display=HT40-}
           value {arg=1}{value=ht20}{display=HT20}
           value {arg=2}{value=wlan0}{display=wlan0}

       Example 2:

           arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
           value {arg=0}{call=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}
           value {arg=0}{call=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}

       Example 3:

           arg {number=0}{call=--usbdevice}{USB Device}{type=selector}
           arg {number=1}{call=--server}{display=IP address for log server}{type=string}{validation=(?:\d{1,3}\.){3}\d{1,3}}
           flag {failure=Permission denied opening Ubertooth device}

       Example 4:

           arg {number=0}{call=--username}{display=Username}{type=string}
           arg {number=1}{call=--password}{display=Password}{type=password}

       Example 5: timestamp

           arg {number=0}{call=--start}{display=Start Time}{type=timestamp}
           arg {number=1}{call=--end}{display=End Time}{type=timestamp}

       Example 6: multicheck

           arg {number=0}{call=--device}{display=Device}{type=multicheck}
           value {arg=0}{value=USBDEV}{display=USB devices}{enabled=false}
           value {arg=0}{value=/dev/sysfs/usb/foo/123}{display=Ubertooth One sn 1234}{parent=USBDEV}
           value {arg=0}{value=/dev/sysfs/usb/foo/456}{display=Ubertooth One sn 8901}{parent=USBDEV}
           value {arg=0}{value=PCIDEV}{display=PCI devices}{enabled=false}
           value {arg=0}{value=/sys/devices/pci123}{display=Device 1}{parent=PCIDEV}
           value {arg=0}{value=/sys/devices/pci456}{display=Device 2}{parent=PCIDEV}

TABLE FIELD         top

       The "table" field is a bit different, in that its values can have
       additional configuration options. The values can either be entered
       manually by the user, or a list of available values can be
       provided using the same API as "multicheck". Unlike most APIs, the
       value is provided using a commandline-like API, separated by
       spaces instead of comas. For instance, a configured "myparam"
       attribute where the user selected three values (1, 2 and 3) would
       receive:

           --myparam "1 2 3"

       If a "prefix" is configured to be "--p", it would receive the
       following:

           --myparam "--p 1 --p 2 --p 3"

       The values selected in a table field may have specific
       configuration options, if "configurable=true" for the "multicheck"
       field. In this case, the extcap will be called again when the user
       presses the configuration wheel that matches a value in the table,
       with the additional "--extcap-config-option-name <option_name>
       --extcap-config-option-value <option_value>" with no prefix. An
       extcap program should respond with an additional set of arguments,
       which will be opened in a popup. Once those are configured, the
       extcap might get the following, assuming for instance that an
       additional "param1" is requested when value is 1, and "param2"
       when value is 2.

           --myparam "--p 1 --param1 1 --p 2 --param2 true --p 3"

SECURITY CONSIDERATIONS         top

       •   If you’re running Wireshark as root, we can’t save you.

       •   Dumpcap retains suid/setgid and group execute permissions for
           users in the “wireshark” group only.

       •   Third-party capture programs run with whatever privileges
           they’re installed with.

       •   If an attacker can write to a system binary directory, it’s
           game over.

       •   You can find your local extcap directory in About › Folders.

SEE ALSO         top

       wireshark(1), tshark(1), dumpcap(1), androiddump(1), sshdig(1),
       sshdump(1), randpktdump(1)

NOTES         top

       Extcap is feature of Wireshark. The latest version of Wireshark
       can be found at https://www.wireshark.org.

       HTML versions of the Wireshark project man pages are available at
       https://www.wireshark.org/docs/man-pages. This page is part of the
       wireshark (Interactively dump and analyze network traffic)
       project. Information about the project can be found at 
       ⟨https://www.wireshark.org/⟩. If you have a bug report for this
       manual page, see
       ⟨https://gitlab.com/wireshark/wireshark/-/issues⟩. This page was
       obtained from the project's upstream Git repository
       ⟨https://gitlab.com/wireshark/wireshark.git⟩ on 2025-08-11. (At
       that time, the date of the most recent commit that was found in
       the repository was 2025-08-11.) If you discover any rendering
       problems in this HTML version of the page, or you believe there is
       a better or more up-to-date source for the page, or you have
       corrections or improvements to the information in this COLOPHON
       (which is not part of the original manual page), send a mail to
       [email protected]

                                2025-08-09                      EXTCAP(4)

Pages that refer to this page: androiddump(1)ciscodump(1)dpauxmon(1)etwdump(1)falcodump(1)randpktdump(1)sdjournal(1)sshdig(1)sshdump(1)udpdump(1)wifidump(1)