This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

stop the trace from external event

0

I would like to stop the trace of Wireshark using external trigger event when the fault happens.

Please kindly advise me about the ideas.

asked 01 Dec '15, 01:37

Tony_2013's gravatar image

Tony_2013
11559
accept rate: 0%

One Answer:

0

As it seems you need to see what happened right before the fault event and not to watch the packets coming in live, please run dumpcap from command line in circular file buffer mode (see options -w, -b and -B here, and translate the fault signal into a killall dumpcap (or its equivalent in your operating system, like e.g. taskkill /IM dumpcap.exe on Windows 7) to terminate the running capture. When opening the saved file in Wireshark afterwards, you'll most likely get an error warning that "the capture file appears to be truncated in the middle of a packet", but that only means that several last captured packets were not written to the file due to file write buffering, so if there is some other traffic on the interface, it should not prevent you from seeing the packet related to the fault event if the delay from the fault event to execution of the killall command is long enough.

answered 01 Dec '15, 03:50

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Thanks for your reply! i will try

(01 Dec '15, 04:30) Tony_2013
1

Can do, but I need some basic information from your side:

  • on what operating system shall we work?

  • can you reach a command line of that system for some other purposes than running dumpcap?

  • are you able to transform an occurrence of the fault event into a command line command?

(02 Dec '15, 01:20) sindy

BTW, for a dumpcap tutorial, check out

https://blog.packet-foo.com/2013/05/the-notorious-wireshark-out-of-memory-problem/

(02 Dec '15, 01:28) Jasper ♦♦

Hi Sindy,

thank you so much.

1) win 7 2)yes 3) I still do not know how to check the transform

Please kindly advise me further

(02 Dec '15, 02:32) Tony_2013
2

As even the nice article written and suggested by @Jasper seems to be too complex, here is the step-by-step cookbook for you:

In command line window, and only if you use the default installation,enter the following lines:

c: cd "\Users\your_user_name\Documents" "\Program Files\Wireshark\dumpcap.exe" -D

If you are not using the default installation, find the proper paths and use them instead.

When run with -D, dumpcap will print a numbered list of interfaces, indicating their Windows internal identifiers and "human-readable" names. The best news of the day is that the order numbers in the list can be used as interface identifiers for dumpcap, so you don't need to copy the NPF_\{... strings.

Now choose the network interface you need to capture at from the list - let's say it is the third one, and for the purpose of this example, you want to keep the history of last 20 files of 100000 kBytes each (which is 100 MBytes but the unit for specifying the size is kBytes), and you want the capture to be saved to file "my_first_dumpcap_capture.pcapng".

Using this example, your command line will be
"\Program Files\Wireshark\dumpcap.exe" -i 3 -b filesize:100000 -b files:20 -w my_firsτ_dumpcap_capture.pcapng

The worst news of the day is that all this won't serve the primary goal until you find out how to translate the occurrence of the fault event into the taskkill /IM dumpcap.exe which I was assuming from your question to be the part you know how to do, as you were asking how to make Wireshark handle an external event.

So what is the natural form of the event?

(02 Dec '15, 03:14) sindy

hi Sindy,

it works with circular buffer mode.

But do i need to write down any script to translate the error-signal and for doing the killall dumpcap.

if so please kindly let me how to start with one example of the error-signal on TCP packet.

Thanks

(02 Dec '15, 03:42) Tony_2013

Hi Sindy,

I mange to run dumpcap.exe with the circular buffer mode option.

But Please kindly advise me or explain me about the next procedure by assuming one TCP common fault signal .

Please kindly advise me how to translate the the wireshark packet fault signal and then execute the killall dumpcap.

Do I need to write down any script for it.

(02 Dec '15, 03:53) Tony_2013

we are getting quite far away from Wireshark, but let's continue anyway.

I hereby re-word my question: what exactly is the fault event you need to translate into stopping the capture? Is it

  • a strange packet which you suspect to exist but you don't know how it looks like,

  • an occurrence of a packet for which you know how it looks like but you need to know from where it comes,

  • an error window popped up by an application running on the PC,

  • a lamp lighting up on some appliance connected to Ethernet,

  • something else (please describe in detail)?

(02 Dec '15, 05:08) sindy

we have an error window pooped up by an application running on the PC.

(02 Dec '15, 05:37) Tony_2013

@Tony_2013

Your "answer" has been converted to a comment as that's how this site works. Please read the FAQ for more information.

(02 Dec '15, 05:38) grahamb ♦

we have an error window popped up by an application running on the PC.

In that case, you'll need to google up some application which can watch for a particular type of change of the screen contents (like an error window of a certain form popping up) and take an action, which in your case would be issuing of the taskkill command. I know such applications exist but I've never used any of them so I cannot provide any more details.

(02 Dec '15, 05:52) sindy

Thanks Sindy for your valuable comments!!!

(02 Dec '15, 06:35) Tony_2013
showing 5 of 12 show 7 more comments