First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How can I stop dumpcap or tshark without any condition?

Hi,

I am trying to setup a ring capture (of let's say 8gb) and stop it when I hit an event ID on a windows machine. I have to use a script so I will be using dumpcap or tshark (lightweight due to performance reasons) so I need to know If its possible to simply tell dumpcap or tshark to stop without any condition?

Below is what I will be doing to fire up the trace.

dumpcap -i 4 -b files:2 -b filesize:8000000 -w c:\temp\hello1.pcap

How should I stop it? I get to know the problem I am tracing via an event ID in the event viewer so I will be using a script to start and stop all the data collection process.......

Aman's avatar
1
Aman
asked 2023-01-31 22:40:16 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

As I posted on Discord, ...

If you know the process ID of the running dumpcap instance, then you can use something like TASKKILL /F /PID %DUMPCAP_PID%; otherwise if you know you're only going to have a single instance running, you might be able to just get away with TASKKILL /F /IM DUMPCAP.EXE.

You may also want to take a look at the dumpcap.batfile I wrote and made available at https://gitlab.com/wireshark/wireshar..., as this batch file uses this exact method to kill dumpcap. Note that the batch file might not actually work anymore with the latest version of dumpcap since I wrote it so long ago and it's not something I actually use myself.

cmaynard's avatar
11.1k
cmaynard
answered 2023-01-31 23:10:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

i can try that workaround but wondering why dumpcap or tshark simply doesn't allow us to stop it? unconditionally i mean

Aman's avatar Aman (2023-01-31 23:18:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer