0

I have a C# program that is launching TShark.exe which is the background equivalent of WireShark. I would like to close all instances that I start. It appears to start just fine, run in the background and log network traffic to a file as it should. However, when I try to close it, I get a "No process is associated with this object." exception.

Here is how I'm starting the processes:

ProcessStartInfo processStartInfo = new ProcessStartInfo
{
   Arguments = $"-i {nic} -t ad -w {GenerateLogPath(nic)}",
   FileName = "\"C:\\Program Files\\Wireshark\\tshark.exe\"",
   CreateNoWindow = true,
   WindowStyle = ProcessWindowStyle.Hidden,
   UseShellExecute = false
};

WireSharkProcesses.Add(System.Diagnostics.Process.Start(processStartInfo));

I've tried several methods to close/kill these processes. First, I kept a list of all processes that I had started in my app and called the following on them without success:

process.CloseWindow();
process.Close();
process.Kill();

I kept getting the "No process is associated with this object." exception.

So, I used:

var processes = System.Diagnostics.Process.GetProcesses();

And got a list of all processes on my machine and looped through them and attempted to close those who's process name was "tshark" or "dumpcap". I attempted this with .CloseWindow(), .Close(), and .Kill() all of which failed and threw the above exception.

I even went into TaskManager and attempted to END TASK on them. They appeared to be removed, but upon closing and re-opening TaskManager, they magically reappeared. There are also now several instances of "tshark" and "dumpcap" that show up when I call GetProcesses(), but are not in the list of processes that Task Manager shows.

What am I missing here?? Short of rebooting my machine, how do I get these processes to exit? Is this just a wireshark problem, or a general problem with killing processes?

Curtis
  • 5,794
  • 8
  • 50
  • 77
  • For the solution, I ended up just using the -a flag and setting the duration to 100, so that it basically ran longer than whatever process I was trying to capture would last. So I just added: -a duration:100 as a command line argument and it shuts itself down after 100 seconds. – Curtis Dec 05 '18 at 19:34

1 Answers1

1

Are you using WinPcap or Npcap? If you're using WinPcap, you could try switching to Npcap and using that instead. See Gerald Comb's comment #32 on the recently closed Wireshark Bug 14701.

By the way, in case you weren't aware, tshark is capable of capturing on more than one interface at a time, so in theory only a single instance is required. I understand that this can sometimes cause reassembly problems though, so if that's what you're trying to avoid or if you just want to keep packets separated by interface, then yes, you'll have to start multiple instances.

Christopher Maynard
  • 5,702
  • 2
  • 17
  • 23