Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-dev: Re: [Wireshark-dev] explicitly stop capture with Tshark

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 4 Feb 2009 10:39:36 -0800

On Feb 4, 2009, at 10:25 AM, Joshua (Shiwei) Zhao wrote:

Thanks for explaination! I'll try it out.

Meanwhile, can we design a command like
    tshark -stop XXXX  ?
What's the difficulty there?

Well, the first difficulty is that "-stop" is equivalent to "-s -t -o - p", so it'd have to be "--stop", and that would mean switching to getopt_long() from getopt() in the argument parsing. Not difficult, but requires a little work.

On UN*X:

The second difficulty is that "tshark --stop XXXX" wouldn't be sufficient, unless "XXXX" was the PID of the tshark process in question, in which case "kill -TERM XXXX" is equivalent, and it's not entirely clear that it'd be worth the effort to do.

If we add "--start XXXX", the next question would be whether tshark would background itself or whether you'd have to background it yourself or run "tshark --stop XXXX" from another terminal emulator or login session.

In either case, "--start XXXX", would have to write the PID of the process to a file - "/tmp/XXXX", for example, and "tshark --stop XXXX" would be equivalent to "kill -TERM `cat /tmp/XXXX`", and doing a background tshark would be equivalent to "tshark {args} &" followed by "echo $! >/tmp/XXXX".

	So much of this can be done relatively simply with existing commands.

On Windows:

The second difficulty would be in determining how to send some indication from one process to another that can asynchronously interrupt the second process in such a way that lets it terminate cleanly.