Search code examples
processwiresharkprocess.starttsharkprocessstartinfo

Why do I get "No process is associated with this object." when calling process.Close() or process.Kill()?

I have a C# program that is launching TShark.exe which is the background equivalent of WireShark. I would like to close all instances that I start. It appears to start just fine, run in the background and log network traffic to a file as it should. However, when I try to close it, I get a "No process is associated with this object." exception.

Here is how I'm starting the processes:

ProcessStartInfo processStartInfo = new ProcessStartInfo
{
   Arguments = $"-i {nic} -t ad -w {GenerateLogPath(nic)}",
   FileName = "\"C:\\Program Files\\Wireshark\\tshark.exe\"",
   CreateNoWindow = true,
   WindowStyle = ProcessWindowStyle.Hidden,
   UseShellExecute = false
};

WireSharkProcesses.Add(System.Diagnostics.Process.Start(processStartInfo));

I've tried several methods to close/kill these processes. First, I kept a list of all processes that I had started in my app and called the following on them without success:

process.CloseWindow();
process.Close();
process.Kill();

I kept getting the "No process is associated with this object." exception.

So, I used:

var processes = System.Diagnostics.Process.GetProcesses();

And got a list of all processes on my machine and looped through them and attempted to close those who's process name was "tshark" or "dumpcap". I attempted this with .CloseWindow(), .Close(), and .Kill() all of which failed and threw the above exception.

I even went into TaskManager and attempted to END TASK on them. They appeared to be removed, but upon closing and re-opening TaskManager, they magically reappeared. There are also now several instances of "tshark" and "dumpcap" that show up when I call GetProcesses(), but are not in the list of processes that Task Manager shows.

What am I missing here?? Short of rebooting my machine, how do I get these processes to exit? Is this just a wireshark problem, or a general problem with killing processes?

Solution

  • Are you using WinPcap or Npcap? If you're using WinPcap, you could try switching to Npcap and using that instead. See Gerald Comb's comment #32 on the recently closed Wireshark Bug 14701.

    By the way, in case you weren't aware, tshark is capable of capturing on more than one interface at a time, so in theory only a single instance is required. I understand that this can sometimes cause reassembly problems though, so if that's what you're trying to avoid or if you just want to keep packets separated by interface, then yes, you'll have to start multiple instances.