Repository files navigation

A small .NET standard library that implements theextcap interface for you.

There are 2 ways to add the ExtcapNet library to your project:

1. Get itfrom NuGet
   -or-
2. Download the code and add the ExtcapNet project (.csproj) to your solution

To use the extcap interface you'll need to use theExtcapManager class and its 2 methods:

1. ExtcapManager.RegisterInterface() - To add one or more capturable interfaces to Wireshark's list
2. ExtcapManager.Run() - To perform the necessary API communication with Wireshark*

* Wireshark's extcap interface is based on invoking the plugin executable several
times at startup/when starting to capture with different command line arguments and
getting specific results in it's standard output.

The most basic usage for the library is provided in this example

staticvoidMain(string[]args){varextcap=newExtcapManager();extcap.RegisterInterface(displayName:"Dummy Interface Name",producer:DummyPacketsProducer,defaultLinkLayer:LinkLayerType.Ethernet);// This will handle different invocations by wireshark// When finally a capture command arrives this function blocks until 'DummyPacketsProducer'// is done/wireshark stops the capturing.extcap.Run(args);}staticvoidDummyPacketsProducer(Dictionary<ConfigField,string>config,IPacketsPublisherpublisher){// In this function you should continuously read from your packets source// and send them to Wireshark using the 'publisher' arg.//// To keep this example short, we'll simply generate some packets ourselves.for(inti=0;i<10;i++){byte[]newEtherPacket=newbyte[14];// Setting different first byte of every packet so we can tell them apartnewEtherPacket[0]=(byte)i;publisher.Send(newEtherPacket);}}

This code should cover most basic cases.
The only real missing part from making this code a worthy plugin is replacing the body of theDummyPacketsProducer function.

To demonstrate the convinience this library provides, take a look at the following example which attemps to mimik theudpdump.exe plugin (bundled with Wireshark):

staticvoidMain(string[]args){varextcap=newExtcapManager();extcap.RegisterInterface(displayName:"Fake udpdump",producer:FakeUdpDumpProducer,defaultLinkLayer:LinkLayerType.Ethernet);// TODO: Only supports Ethernet inside UDPextcap.Run(args);}staticvoidFakeUdpDumpProducer(Dictionary<ConfigField,string>config,IPacketsPublisherpublisher){// Plugin specific logic: Wait for incoming UDP packets// when one arrives, just forward it's entire payload as an Ethernet packet to WiresharkUdpClientudpListener=newUdpClient(5555);// TODO: Port is hard-codedIPEndPointipe=newIPEndPoint(0,0);while(true){byte[]nextUdpPayload=udpListener.Receive(refipe);publisher.Send(nextUdpPayload);}}

This example works but it is not a complete copy.udpdump has a few more features which we are lacking.
For example, you can specify in theudpdump's settings on whichport to listen.
You can also specify theencapsulated protocol type so its dissector will be called by Wireshark.

To allow such flexability in ExtcapNet a deeper dive into the library is required.
ExtcapNet allows you to define"configuration fields" which Wireshark will render in
a special window for the users to configure the plugin (Like the ones udpdump and sshdump have).

To learn about configuration support, see the'revamped udpdump example'

After you're done developing your plugin you'd want to use it in Wireshark.
To do so you need to copy everything from the compilation folder (/bin/debug or /bin/release)
to Wiresharks's 'extcaps' directory.

.NET projects commonly compile to several different files (dlls, exe, config, ...) and copying all
of those to the directory might make a mess.
Luckily, .NET core 3.1 and .NET 5/6/7 supportsingle-file publishing which produces only 2 files:program.exe andprogram.pdb (A symbols file. Not necessary for execution).
To publish a single file you can use this command in Visual Studio's "Package Manager Console":

PM> dotnet publish -r win-x64 -c Debug /p:PublishSingleFile=true

(Adjust windows version and Debug/Release according to your needs)

Shark, Puzzle icons icon byIcons8