CODEWITHSUNDEEP
c#wiresharktshark
user2214609
user2214609

Reputation: 4961

Tshark stop capturing after few minutes although process still running

I have build .Net application that start capturing using command line 

  private void startCapturing(string path)
    {
        string args = string.Format("-i 1 -s 65535 -w {0}", Path.Combine(@"D:\Downloads", path));
    }

protected void invokeProcess(WiresharkProcesses process, string args)
{
    try
    {
        string processToInvoke = null;
        validateProcess(process);

        switch (process)
        {
            case WiresharkProcesses.Capinfo:
                processToInvoke = Path.Combine(getbBasePath, "capinfos.exe");
                break;
            case WiresharkProcesses.Editcap:
                processToInvoke = Path.Combine(getbBasePath, "editcap.exe");
                break;
            case WiresharkProcesses.Tshark:
                processToInvoke = Path.Combine(getbBasePath, "tshark.exe");
                break;
            case WiresharkProcesses.Wireshark:
                processToInvoke = Path.Combine(getbBasePath, "wireshark.exe");
                break;
        }

        ProcessStartInfo processStartInfo = new ProcessStartInfo(processToInvoke);
        processStartInfo.Arguments = args;
        processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
        processStartInfo.RedirectStandardOutput = true;
        processStartInfo.RedirectStandardError = true;
        processStartInfo.CreateNoWindow = true;
        processStartInfo.UseShellExecute = false;
        processStartInfo.ErrorDialog = false;
        Process pros = Process.Start(processStartInfo);
    }
    catch (Exception ex)
    {
        cw(ex.Message);
    }
}

everything works fine but after several minutes (when thark process still running) i can see that no new packets received (i just open the capture on my disk) and the elapsed time (statistics --> summary) not growing.

if i am using the same command but directly from command line (without .Net code) its works without stopping. BTW my wireshark version is 1.10.0 under Windows 8 x64

Upvotes: 0

Views: 1100

Answers (1)

pchaigno
pchaigno

Reputation: 13133

Could be that you're not receiving that many packets and tshark is buffering them. So it would look like tshark stopped capturing for a while. To make sure tshark doesn't buffer packets:

tshark -l

From the man page:

-l  Flush the standard output after the information for each packet is printed. 
    [...]

    This may be useful when piping the output of TShark to another program, as it
    means that the program to which the output is piped will see the dissected
    data for a packet as soon as TShark sees the packet and generates that
    output, rather than seeing it only when the standard output buffer containing
    that data fills up.

Upvotes: 1

Related Questions