Replay: Remotely Stopping Wireshark
Updated: Mar 3, 2021
One of the advantages of installing Wireshark, is working with and learning the various command line utilities that come along with it. Programs like tshark and dumpcap allow you to capture from the command line. This gives the analyst a lot of flexibility in the field.
For example you might create a shortcut on a client’s desktop so they can capture packets for you. You can also create a batch file so the system starts capturing when it powered on, which is very helpful when I build remote capture devices.
Tshark and dumpcap can capture with specific parameters like ring buffers, filters, etc.
One popular question I get asked is how to stop dumpcap or tshark after you start it. Normally you would press Ctrl+C to stop the capture. I have to admit that the solution I came up with is not very elegant, but works.
This solution works with Windows 7, 8 and 10 and works with the native operating system. The commands referenced tasklist and taskkill. By ‘killing either tshark or dumpcap, the capture is halted and since the file is written to as the packets are captured, the trace file is saved.
Here is a list of commands I used:
Provides a list of interfaces to reference when capturing
dumpcap -i 8
Captures from interface number 8 using the default temp folder and filename.
tasklist /FI "imagename eq dumpcap.exe"
Will check and display related information the dumpcap.exe is running.
taskkill /F /IM dumpcap.exe
Will kill the dumpcap.exe task or application.
The best part is that if you have the proper login credentials, you can perform the same procedure on a remote system.