0

我已经构建了开始使用命令行捕获的 .Net 应用程序

  private void startCapturing(string path)
    {
        string args = string.Format("-i 1 -s 65535 -w {0}", Path.Combine(@"D:\Downloads", path));
    }

protected void invokeProcess(WiresharkProcesses process, string args)
{
    try
    {
        string processToInvoke = null;
        validateProcess(process);

        switch (process)
        {
            case WiresharkProcesses.Capinfo:
                processToInvoke = Path.Combine(getbBasePath, "capinfos.exe");
                break;
            case WiresharkProcesses.Editcap:
                processToInvoke = Path.Combine(getbBasePath, "editcap.exe");
                break;
            case WiresharkProcesses.Tshark:
                processToInvoke = Path.Combine(getbBasePath, "tshark.exe");
                break;
            case WiresharkProcesses.Wireshark:
                processToInvoke = Path.Combine(getbBasePath, "wireshark.exe");
                break;
        }

        ProcessStartInfo processStartInfo = new ProcessStartInfo(processToInvoke);
        processStartInfo.Arguments = args;
        processStartInfo.WindowStyle = ProcessWindowStyle.Hidden;
        processStartInfo.RedirectStandardOutput = true;
        processStartInfo.RedirectStandardError = true;
        processStartInfo.CreateNoWindow = true;
        processStartInfo.UseShellExecute = false;
        processStartInfo.ErrorDialog = false;
        Process pros = Process.Start(processStartInfo);
    }
    catch (Exception ex)
    {
        cw(ex.Message);
    }
}

一切正常,但几分钟后(当 thark 进程仍在运行时)我可以看到没有收到新的数据包(我只是打开磁盘上的捕获)并且经过的时间(统计信息 --> 摘要)没有增长。

如果我使用相同的命令但直接从命令行(没有 .Net 代码),它的工作不会停止。顺便说一句,我的wireshark版本是 1.10.0 下Windows 8 x64

4

1 回答 1

1

可能是您没有收到那么多数据包,而 tshark 正在缓冲它们。所以看起来 tshark 会停止捕获一段时间。确保 tshark 不缓冲数据包:

tshark -l

从手册页:

-l  Flush the standard output after the information for each packet is printed. 
    [...]

    This may be useful when piping the output of TShark to another program, as it
    means that the program to which the output is piped will see the dissected
    data for a packet as soon as TShark sees the packet and generates that
    output, rather than seeing it only when the standard output buffer containing
    that data fills up.
于 2017-08-20T08:57:03.203 回答