Hi all, I am developing one utility in windows. I can successfully start Wireshark GUI using CreateProcess function. Now I want to stop the capture only(not to close that Wireshark window) of that particular created Wireshark process. If I kill dumpcap process by same CreateProcess function, it is stopping all the other Wireshark instances. Is there any way to stop dumpcap of my own created Wireshark process while other Wireshark window will still be active and capture as before. Can I send any signal by using the PID of my created Wireshark process to do that? Thanks in advance. asked 07 Mar '15, 01:26 baila |
2 Answers:
From the command line, you can do something like:
... where
answered 09 Mar '15, 09:23 cmaynard ♦♦ |
There is no way to do this with the current Wireshark version, as that functionality is not implemented. Regards answered 07 Mar '15, 13:22 Kurt Knochner ♦ Thanks Kurt. Is there any way to get the pid of the dumpcap of my own created instance, so that i can kill that particular dumpcap instance? Thanks. (07 Mar '15, 20:17) baila Is there any work around?? (08 Mar '15, 10:51) baila You can do what @cmaynard wrote. As an alternative, you could describe what you are trying to do with your windows tool. Maybe there is a totally different approach to solve that without starting a GUI version of Wireshark ;-) (09 Mar '15, 13:42) Kurt Knochner ♦ @Kurt I am writing one application, which will open the Wireshark GUI, captures packets and stop capturing if signaled from my application. It will just stop the capture, not close the Wireshark GUI. Users may have multiple Wireshark instances running on their system, so I don't want to disturb those instances. (09 Mar '15, 22:26) baila I see the following alternatives: 1.) Don't capture with the GUI Wireshark. Use dumpcap directly (start / stop it as you need it) and then start Wireshark to load the capture file (-nr) 2.) Start your own dumpcap and Wireshark instances in the following way.
With option 2. you know the PIDs of both tools and you can kill either of them as you need it. You can search this Q&A site for named pipes and also read my answer to the following question:
The wiki has some information as well: (10 Mar '15, 04:00) Kurt Knochner ♦ |
Thanks a lot cmaynard. I'll definitely try that and let you know!
Another possible option, if you want to do it entirely in code instead of using the command-line, might be to borrow this idea.
Basically, take a snapshot of all running processes, then iterate through them all. For each one named, "dumpcap.exe", see if its parent process ID matches the process ID of your Wireshark instance of interest. If it does, you have found the child process ID and can then kill it, presumably by first calling
OpenProcess()
to get the handle, and then callingTerminateProcess()
.I don't know, there might be an easier way ...
@cmaynard - your first solution works great. Thanks for your great solution.