Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] tshark creates files in temp dir

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Thu, 6 Nov 2008 15:53:21 -0800

On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:

When we run tshark on windows it sometimes creates these large files in Windows/temp directory that start with “ether”. Is there a way to turn this off?

Currently, no. TShark runs dumpcap to do the traffic capture, and currently, if you run it without the "-w" flag, tells dumpcap to write to a temporary file, and reads from the temporary file.

At some point it should be changed to, in that case, have dumpcap write the packets on a pipe, and read from the pipe.

When you terminate TShark with ^C, then it should get rid of the file. Is the problem that the file exists while the capture is being done (in which case there's currently nothing you can do to stop it), or that the file remains around after you terminate TShark?