This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Problem with the command line “stop”

0

I have a problem, I can't stop wireshark with a command line. I used the command line to start wireshark : "wireshark -i 3 -k" and after I would like to stop wireshark with a new command line. But when I use the command "wireshark -a duration:1", I have another instance of wireshark which opens. Is it possible to start and stop wireshark with 2 commands line ?

Thanks for your help

asked 06 Oct '11, 06:24

Patrick's gravatar image

Patrick
1111
accept rate: 0%


2 Answers:

1

No, it is not possible to start and stop Wireshark with two separate commands. Wireshark's initial options can be set on the command line, and a capture can be started from the command line, but the only way to stop a capture from the user interface is to click the "Stop" button.

answered 07 Oct '11, 13:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

Use just one command line:
wireshark -i 3 -k -a duration:60

answered 06 Oct '11, 13:15

joke's gravatar image

joke
1.3k4934
accept rate: 9%

I want to use 2 commands because I start Wireshark and I wait an event with another software (Teststand). When I have this event, I stop wireshark. The duration between the start and the event is never the same and I want to stop the capture immediatly after the event.

(07 Oct '11, 00:51) Patrick

Is there any particular reason why you don't use tshark?
You can run tshark and hit CTRL+C, after the event has happened:
$ tshark -i 3 -w myfile.pcap

(08 Oct '11, 05:25) joke

If you're doing long term captures and don't need to see dissection as the capture takes place then using dumpcap is probably even better than using tshark.

dumpcap just writes the capture to a file which can then be analyzed using Wireshark.

See http://wiki.wireshark.org/KnownBugs/OutOfMemory (especially the "workarounds" section).

(08 Oct '11, 05:55) Bill Meier ♦♦