This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Send signal to wireshark process using pid

0

Hi all, I am developing one utility in windows. I can successfully start Wireshark GUI using CreateProcess function. Now I want to stop the capture only(not to close that Wireshark window) of that particular created Wireshark process. If I kill dumpcap process by same CreateProcess function, it is stopping all the other Wireshark instances.

Is there any way to stop dumpcap of my own created Wireshark process while other Wireshark window will still be active and capture as before. Can I send any signal by using the PID of my created Wireshark process to do that?

Thanks in advance.

asked 07 Mar '15, 01:26

baila's gravatar image

baila
21101115
accept rate: 0%

2 Answers:

2

From the command line, you can do something like:

C:\>wmic process where (ParentProcessId=XXXX) get Caption,ProcessId
Caption      ProcessId
dumpcap.exe  YYYY

... where XXXX is the process ID of Wireshark and YYYY is the process ID of Wireshark's dumpcap instance. Once you have dumpcap's process ID, it should be easy to terminate only that instance. One such way:

C:\>taskkill /f /pid YYYY
SUCCESS: The process with PID YYYY has been terminated.

answered 09 Mar '15, 09:23

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks a lot cmaynard. I'll definitely try that and let you know!

(09 Mar '15, 10:03) baila

Another possible option, if you want to do it entirely in code instead of using the command-line, might be to borrow this idea.

Basically, take a snapshot of all running processes, then iterate through them all. For each one named, "dumpcap.exe", see if its parent process ID matches the process ID of your Wireshark instance of interest. If it does, you have found the child process ID and can then kill it, presumably by first calling OpenProcess() to get the handle, and then calling TerminateProcess().

I don't know, there might be an easier way ...

(09 Mar '15, 10:33) cmaynard ♦♦

@cmaynard - your first solution works great. Thanks for your great solution.

(11 Mar '15, 03:56) baila

0

There is no way to do this with the current Wireshark version, as that functionality is not implemented.

Regards
Kurt

answered 07 Mar '15, 13:22

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks Kurt. Is there any way to get the pid of the dumpcap of my own created instance, so that i can kill that particular dumpcap instance?

Thanks.

(07 Mar '15, 20:17) baila

Is there any work around??

(08 Mar '15, 10:51) baila

You can do what @cmaynard wrote.

As an alternative, you could describe what you are trying to do with your windows tool. Maybe there is a totally different approach to solve that without starting a GUI version of Wireshark ;-)

(09 Mar '15, 13:42) Kurt Knochner ♦

@Kurt I am writing one application, which will open the Wireshark GUI, captures packets and stop capturing if signaled from my application. It will just stop the capture, not close the Wireshark GUI. Users may have multiple Wireshark instances running on their system, so I don't want to disturb those instances.

(09 Mar '15, 22:26) baila

I see the following alternatives:

1.) Don't capture with the GUI Wireshark. Use dumpcap directly (start / stop it as you need it) and then start Wireshark to load the capture file (-nr)

2.) Start your own dumpcap and Wireshark instances in the following way.

  • Create a named pipe (see MSDN how to do that, or search ask.wireshark.org)
  • Let Wireshark read from the named pipe (Wireshark -ni \.\pipe\whatever -k)
  • start dumpcap and let it write to the named pipe.

With option 2. you know the PIDs of both tools and you can kill either of them as you need it.

You can search this Q&A site for named pipes and also read my answer to the following question:

https://ask.wireshark.org/questions/13059/capturing-from-multiple-pipes

The wiki has some information as well:

http://wiki.wireshark.org/CaptureSetup/Pipes

(10 Mar '15, 04:00) Kurt Knochner ♦