Wireshark-users: Re: [Wireshark-users] tshark creates files in temp dir
From: "Al Aghili" <aaghili@xxxxxxxxxxxxxxxxxx>
Date: Thu, 6 Nov 2008 16:59:18 -0700
Guy,
I think we may have to manually delete the files after we kill the
tshark process. That was the problem I think. There were files left over
because we are killing the process programmatically (not ^C). 

In a high traffic environment these files tend to get very big. So your
solution to write the packets on a pipe might work best in the future.

At the same time if that increases the ram consumption then that's a
bigger problem because right now its on disk.

Thanks for the help.

Al

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Guy Harris
Sent: Thursday, November 06, 2008 4:53 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark creates files in temp dir


On Nov 6, 2008, at 9:39 AM, Al Aghili wrote:

> When we run tshark on windows it sometimes creates these large files  
> in Windows/temp directory that start with "ether". Is there a way to  
> turn this off?

Currently, no.  TShark runs dumpcap to do the traffic capture, and  
currently, if you run it without the "-w" flag, tells dumpcap to write  
to a temporary file, and reads from the temporary file.

At some point it should be changed to, in that case, have dumpcap  
write the packets on a pipe, and read from the pipe.

When you terminate TShark with ^C, then it should get rid of the  
file.  Is the problem that the file exists while the capture is being  
done (in which case there's currently nothing you can do to stop it),  
or that the file remains around after you terminate TShark?
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users