Wireshark-users: Re: [Wireshark-users] Stop cycling capture with tshark
From: "Maynard, Chris" <Christopher.Maynard@xxxxxxx>
Date: Thu, 9 Nov 2017 14:42:47 +0000

I don’t know how you can identify your protocol, but if it runs atop tcp, then you might be able to use ss (or netstat) to detect when there’s no longer a session established, and then kill tshark once you detect that condition?

 

Example script:

 

#!/bin/sh

 

IP_ADDR=10\.10\.10\.10

PORT_NUM=1000

PROG=tshark

 

while true

do

        #netstat -ntp | grep "${IP_ADDR}:${PORT_NUM}.*ESTABLISHED" > /dev/null

        ss -tn | grep "ESTAB.*${IP_ADDR}:${PORT_NUM}" > /dev/null

        if (( $? != 0 ))

        then

                kill -s INT `pidof ${PROG}`

                exit 0

        fi

        sleep 1

done

 

- Chris

 

From: Wireshark-users [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Graham Bloice
Sent: Thursday, November 9, 2017 5:31 AM
To: Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
Subject: Re: [Wireshark-users] Stop cycling capture with tshark

 

 

 

On 9 November 2017 at 10:14, Helge Kruse <Helge.Kruse@xxxxxxx> wrote:

I have setup a stress test with a network device. After some hours or
days I experience a failure. The device still responds to ICMP echo
and similar but the protocol under test is not working anymore. I
would like to know what happend before and at the failure.

I use tshark to capture the traffic as

  tshark -w file.pcap -b filesize:100000 -b files:8 host 10.0.01

The test program at my Windows PC identfies the problem. But tshark
will continue and the files are overwritten after a period of time
because not all of the traffic stops.

How can I stop tshark from a different process?

 

Probably easiest to spawn a command line utility to kill any process named "tshark.exe", although that might well leave dumpcap.exe running, so that should be killed as well.

 

--

Graham Bloice

CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the addressee.  If you are not the intended recipient and have received this message in error, please delete this message from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is strictly prohibited.