I have a problem, I can't stop wireshark with a command line. I used the command line to start wireshark : "wireshark -i 3 -k" and after I would like to stop wireshark with a new command line. But when I use the command "wireshark -a duration:1", I have another instance of wireshark which opens. Is it possible to start and stop wireshark with 2 commands line ? Thanks for your help asked 06 Oct '11, 06:24  Patrick |
2 Answers:
No, it is not possible to start and stop Wireshark with two separate commands. Wireshark's initial options can be set on the command line, and a capture can be started from the command line, but the only way to stop a capture from the user interface is to click the "Stop" button. answered 07 Oct '11, 13:28  Guy Harris ♦♦ |
Use just one command line: answered 06 Oct '11, 13:15  joke |
I want to use 2 commands because I start Wireshark and I wait an event with another software (Teststand). When I have this event, I stop wireshark. The duration between the start and the event is never the same and I want to stop the capture immediatly after the event.
Is there any particular reason why you don't use tshark?
You can run tshark and hit CTRL+C, after the event has happened:
$ tshark -i 3 -w myfile.pcap
If you're doing long term captures and don't need to see dissection as the capture takes place then using dumpcap is probably even better than using tshark.
dumpcap just writes the capture to a file which can then be analyzed using Wireshark.
See http://wiki.wireshark.org/KnownBugs/OutOfMemory (especially the "workarounds" section).