Hello I have tshark running on a windows 2012 server, and it is writing its temp files to this directory. C:\Users\%Username%\AppData\Local\Temp I need to move it to a new disk and directory d:\Temp I have changed the TEMP,TMP,TMPDIR environment variables to the new path D:\Temp and when I go to wireshark -> abut -> folders I can see the D:\Temp however the tshark keeps writing its temp files to the drive C: location. how can i make tshark write to the new directory. thank you asked 18 Aug '14, 02:17  avi_m1968 edited 18 Aug '14, 02:35 |
One Answer:
TShark/dumpcap uses the TEMP directory from the user environment variables - have you changed that one, or the system one? You could also always force tshark/dumpcap to write files to a specific location by using the "-w" parameter. You might also be interested in this blog post: http://blog.packet-foo.com/2014/07/wireshark-file-storage/ answered 18 Aug '14, 02:22  Jasper ♦♦ |
Hello I have changed the USER ENV not the system. I can't use the -w since I'm reading the STDOUT of tshark if I use it I don't see STDOUT. any idea's what I'm doing wrong? thank you
Have you verified that the command session you're running tshark in actually has the TEMP setting you assume? I usually check this by running the "SET" command. Maybe you're running the command line as a different user, e.g. from a task scheduler account?
I'm running the script from the task scheduler, but it is running as the user that i changed in his profile the environment variables. I have added commands to the script that would check and write to the file the environment variables that the script see's and i'll update you.
you are right, even that the user ENV vars were changed when running the script it used the global ENV setting I added the the 3 SET commands TEMP,TMP,TMPDIR to the script before running tshark and it solved the problem. thank you :-)