Wireshark · Ethereal-users: Re: [Ethereal-users] Command in order to stop tethereal capture

Ethereal-users: Re: [Ethereal-users] Command in order to stop tethereal capture

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Ulf Lamping <ulf.lamping@xxxxxx>

Date: Fri, 30 Sep 2005 21:04:26 +0200

Guy Harris wrote:

Andrew Hood wrote:
pskill tethereal
see http://www.sysinternals.com/Utilities/PsKill.html
...on Windows NT ("NT" including NT 5.x, i.e. W2K/WXP/WServer2K3, andpossibly 6.0, i.e. Vista). However, does that just terminate theprocess uncleanly (similarly to "kill -KILL" on UN*Xes), or does itcause some indication to be delivered to the process, such as a "CTRLevent":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/setconsolectrlhandler.asp
If it just terminates the process uncleanly, the last few packetscaptured probably won't be saved to the capture file (and some packetmight be partially written) and if you try to read the file you'llprobably get an error at the end (the packets completely written tothe file will be readable).
*Is* there a Windows equivalent of SIGTERM for non-GUI processes (Iinfer that when you shut Windows down from the GUI, it first deliversa polite "please shut yourself down" message of some sort to at leastsome processes, and if they don't exit after some amount of time, theyoffer to let you just kill off the process, but if the "please shutyourself down" message is a window system message, Tethereal won't seeit)?

There are two "please shut yourself down" messages I know of: WM_CLOSEand WM_QUIT.

WM_CLOSE is the polite version you talk about, used when you e.g. usethe X on the top right corner.


WM_QUIT is a more "hardcore" version, but much less used.

Of course, both messages are only useful for a program which uses amessage loop. Note that it's not limited to GUI applications to have amessage loop, but can be complicated to do so.

Sending signals to politely quit an application seems to be impossible(every tips welcome how to do this cleanly), I've tried a lot ofdifferent approaches while redesigning the capture slave in Ethereal,but end up using a pipe to signal this "end of capture" messagescleanly, everything else I tried (e.g. using signals) simply terminatedthe slave process, leaving some captured packets "left alone".


Regards, ULFL

P.S: Could someone please start a wiki page on this, so we don't have tostart the same discussion in six month or so again?

References:
- [Ethereal-users] Command in order to stop tethereal capture
  - From: Carolina Gómez
- Re: [Ethereal-users] Command in order to stop tethereal capture
  - From: Joerg Mayer
- Re: [Ethereal-users] Command in order to stop tethereal capture
  - From: Andrew Hood
- Re: [Ethereal-users] Command in order to stop tethereal capture
  - From: Guy Harris

Prev by Date: [Ethereal-users] New Protocol Definition
Next by Date: [Ethereal-users] Capture Filter Help
Previous by thread: Re: [Ethereal-users] Command in order to stop tethereal capture
Next by thread: [Ethereal-users] Capture Filter Help
Index(es):
- Date
- Thread

Riverbed Cascade Pilot: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Riverbed AirPcap: Complete Visibility of Your Wireless Networks; Multi-Channel, Aggregated Analysis; Portable and Versatile; Easy to Setup and Easy to Use; Ready to Power Your Application

$Riverbed TurboCap: Full-Speed GbE Capture; Port Aggregation; Pass-thru Mode; Aggregating Tap; Full-Speed GbE Injection; Exported Interfaces; TurboCap API Developer\'s Pack$