Re: Stop cycling capture with tshark

["Maynard, Chris" <Christopher.Maynard () IGT com>]

I don’t know how you can identify your protocol, but if it runs atop tcp, then you might be able to use ss (or netstat) 
to detect when there’s no longer a session established, and then kill tshark once you detect that condition?

Example script:

#!/bin/sh

IP_ADDR=10\.10\.10\.10
PORT_NUM=1000
PROG=tshark

while true
do
        #netstat -ntp | grep "${IP_ADDR}:${PORT_NUM}.*ESTABLISHED" > /dev/null
        ss -tn | grep "ESTAB.*${IP_ADDR}:${PORT_NUM}" > /dev/null
        if (( $? != 0 ))
        then
                kill -s INT `pidof ${PROG}`
                exit 0
        fi
        sleep 1
done

- Chris

From: Wireshark-users [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Graham Bloice
Sent: Thursday, November 9, 2017 5:31 AM
To: Community support list for Wireshark <wireshark-users () wireshark org>
Subject: Re: [Wireshark-users] Stop cycling capture with tshark



On 9 November 2017 at 10:14, Helge Kruse <Helge.Kruse () gmx net<mailto:Helge.Kruse () gmx net>> wrote:
I have setup a stress test with a network device. After some hours or
days I experience a failure. The device still responds to ICMP echo
and similar but the protocol under test is not working anymore. I
would like to know what happend before and at the failure.

I use tshark to capture the traffic as

  tshark -w file.pcap -b filesize:100000 -b files:8 host 10.0.01

The test program at my Windows PC identfies the problem. But tshark
will continue and the files are overwritten after a period of time
because not all of the traffic stops.

How can I stop tshark from a different process?

Probably easiest to spawn a command line utility to kill any process named "tshark.exe", although that might well leave 
dumpcap.exe running, so that should be killed as well.

--
Graham Bloice
CONFIDENTIALITY NOTICE: This message is the property of International Game Technology PLC and/or its subsidiaries and 
may contain proprietary, confidential or trade secret information.  This message is intended solely for the use of the 
addressee.  If you are not the intended recipient and have received this message in error, please delete this message 
from your system. Any unauthorized reading, distribution, copying, or other use of this message or its attachments is 
strictly prohibited.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://www.wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe