in my application i am open Tshark process and start capturing, when i want to finish to capturing i am kill the Tshark process so sometimes the capture file is corrupted and when i am trying to open this file i received the error the capture file appears to have been cut short in the middle of a packet - how to prevent this error there is a batter way to close the Tshark process to avoid this error ?
Asked
Active
Viewed 2.8k times
3 Answers
7
Try stopping the capture process with ctrl+c instead of killing the process.
Also, you can try using pcapfix to fix your corrupted packets, it may help making your existing files readable again.
SidR
- 2,964
- 1
- 18
- 32
-
i am open the process with windows = hidden so i don't see the windows, is it possible to stopping the capture process with ctrl+c ? – user1710944 Nov 27 '12 at 15:26
1
If this is on UN*X, if you kill the process with kill -INTpid, then that will look just like a Ctrl+C. I'm not sure there's an equivalent on Windows.
-2
I know this post is old, but in case anyone else runs across this:
The OP is probably running something like this:
tshark > capture.cap
And then killing it with CTRL+C. This will corrupt the file.
Instead of redirecting the output, use the -w option:
tshark -w capture.cap
Then you can kill it with CTRL+C and shouldn't have any corruption issues.
Ericle
- 1
- 3
-
1Running `tshark > capture.cap` won't even produce a capture file that's readable by Wireshark - it'll produce a *text* file with dissections of the packets. – Jun 08 '16 at 17:18