ideas icon indicating copy to clipboard operation
ideas copied to clipboard

Published 20 hours ago verified publisher icon open-source-ideas

An extcap client library for python

Open KOLANICH opened this issue 5 years ago • 10 comments

Project description

extcap is an interface between Wireshark and third-party programms allowing Wireshark to visualize their captures when they are capturing, control capture process and select what is being captured.

It would be nice to have a python library doing the same. The library should not parse pcap stream (should parse only headers, the rest of frames should not he touched, because there are too many formats for the payload), instead it should concentrate on managing the process and providing the API for managing capture.

Relevant Technology

Here is an extcap server written in python, that can be used to understand extcap protocol: https://github.com/wireshark/wireshark/blob/master/doc/extcap_example.py

Complexity and required time

Complexity

  • [x] Beginner - This project requires no or little prior knowledge of the technolog(y|ies) specified to contribute to the project

Required time (ETA)

  • [x] Little work - A couple of days

Categories

  • [x] Developer Tooling

KOLANICH avatar May 27 '19 22:05 KOLANICH

Great idea, and thank you for using the categories, makes my job a lot easier :+1:

FredrikAugust avatar May 28 '19 08:05 FredrikAugust

I want to work on this. I have just started learning about wireshark. Can you please give a little more insight about the project?

Exter-dg avatar Aug 06 '20 08:08 Exter-dg

I just provide the path to extcap server binary. The library exposes the API to introspect and change the server settings. The library itself deals with communication to the server, including subprocess calling, server crashes, restarts, lacks of permissions and parsing the stream into a sequence of pcap frames. It provides a way to register a callback function, cwlled on each frame. pcap frames bodies should not be parsed. Just provide raw blobs, 1 blob is 1 pcap frame, a user will use the tool dealing with raw pcap frames he likes.

KOLANICH avatar Aug 06 '20 10:08 KOLANICH

What will the requirements be to make such a library?

pycoder2000 avatar Aug 13 '20 12:08 pycoder2000

@pycoder2000, what do you mean?

requirements.txt? It is unneeded, dependencies must be specified the way available to the package manager, such as setup.cfg. subprocess and struct are already in python standard library. But you may need a library parsing extcap grammar. Extcap grammar is a text-based grammar, so you may need UniGrammar + parser gens to develop it properly (read the manual, if you are a newbie in grammars). The grammar parser should be a separate package.

For the features ... as I have said, an easy to use interface is needed without any low-level details burdening its users.

KOLANICH avatar Aug 13 '20 22:08 KOLANICH

See also chapter 8.2 "Extcap: Developer's Guide" in the Wireshark Developer's Guide, which shows examples of the command-line arguments, and standard output, that an extcap program/script should have.

(I say "program/script", rather than "client library", as extcap extensions to Wireshark should be programs or scripts that can be run, they're not a library in the UN*X/Windows sense. If your goal is to extend Wireshark by some mechanism other than a runnable program or script, that will involve more work; for one thing, Wireshark does support some level of extensibility via Lua scripts, but currently doesn't support running Python scripts as part of the Wireshark process, so you can't directly talk to Wireshark's internals.)

guyharris avatar Aug 15 '20 05:08 guyharris

My goal is not to extend wireshark, but react on captures in realtime. I.e. I start an app which activity is captured, I start an another custmo app written in python, but using the extcap library that uses an extcap host (I am particulary interested in USBPcap which captures USB frames). My app observes the activity of the foreign app and maybe interacts with it in the way, dependent on the captured data, in real time. No wireshark at all is involved at this stage, but it is trivial to capture the pcap frames into a pcap file for later manual observation using wireshark, if it is needed.

Though for this particular case dynamic instrumentation and hooking, i.e. with DynamoRIO can suit better (since using hooking I can also fake the fra es the app receives), it still would be nice to have python interface for extcaps.

KOLANICH avatar Aug 16 '20 18:08 KOLANICH

I just implemented that: https://github.com/paulo-raca/extcapy

Please take a look and let me know what you think

paulo-raca avatar Nov 19 '20 20:11 paulo-raca

@paulo-raca, though your lib is useful, this idea is opposite to the one proposed here. Your lib is for writing extcaps for wireshark, the idea is about creating a lib simplifying using extcaps in own apps without wireshark.

Please take a look and let me know what you think

I think that you should really use pylint. I see some flaws in your code. It is likely that pylint would detect them.

KOLANICH avatar Nov 20 '20 07:11 KOLANICH

@paulo-raca, though your lib is useful, this idea is opposit to the one proposed here. Your lib is for writing extcaps for wireshark, the idea is about the lib using extcaps in own apps without wireshark.

🤦‍♂️ Sorry, I misread it

I think that you should really use pylint. I see some flaws in your code. It is likely that pylint would detect them.

Thanks for the suggestion, I'll do it

paulo-raca avatar Nov 20 '20 11:11 paulo-raca