Search code examples
winapiqprocesscreateprocess

How to close dumpcap.exe using WinAPI? Dumpcap.exe is work by cmd.exe

I'm capturing packets with dumpcap.exe in a cmd.exe window:

dumpcap.exe -i 5 -w:\\Users\\xyz.abc\\Desktop\\allPacketTMC.pcapng

This capturing method works in a QT GUI. When I click the "Start LOG" button, it starts capturing packets. Below code works in QT Creator for capturing:

const char *command = "dumpcap.exe -i 5 -w:\\Users\\xyz.abc\\Desktop\\allPacketTMC.pcapng";
std::system(command);

I can close dumpcap.exe in the cmd window with Ctrl-C. But I want to close dumpcap with the Win32 API (or another method).

When I click a button, I am reading all processes with EnumProcessModules() and can show their process PIDs. But the PID of dumpcap.exe doesn't appear, so I cannot close dumpcap from my GUI.

I used QProcess to create the process in QT, but it doesn't work in an opened window.

I use the std::system() function and close dumpcap.exe from the cmd window with Ctrl-C, but I don't want to close dumpcap this way.

I searched for how to use the CreateProcess() function for creating cmd.exe from the Win32 API, but I didn't run dumpcap.exe with CreateProcess() because I didn't declare the lpCommandLine argument.

Solution

  • Simply pass CreateProcess() the same command line you are passing to system(). CreateProcess() gives you a process ID you can use with GenerateConsoleCtrlEvent(), and a process handle you can use with TerminateProcess().

    char command[] = "dumpcap.exe -i 5 -w:\\Users\\xyz.abc\\Desktop\\allPacketTMC.pcapng";

STARTUPINFOA si = {};
si.cb = sizeof(si);

PROCESS_INFORMATION pi = {};

if (CreateProcessA(NULL, command, NULL, NULL, FALSE, CREATE_NEW_CONSOLE | CREATE_NEW_PROCESS_GROUP | CREATE_NO_WINDOW, NULL, NULL, &si, &pi))
{
    ...
    AttachConsole(pi.dwProcessID);
    GenerateConsoleCtrlEvent(CTRL_C_EVENT, pi.dwProcessID);
    AttachConsole(ATTACH_PARENT_PROCESS);
    // or: 
    TerminateProcess(pi.hProcess, 0);
    ...
    WaitForSingleObject(pi.hProcess, INFINITE);
    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
}

    The alternative is to not use dumpcap.exe at all. Use a library like libpcap instead and do the capturing yourself directly in your own code.