Info: When you stop the packet capture on windows with ctrl-C you will see several errors of the format:
failed to remove file remove XXXXX.ncap.gz: The process cannot access the file because it is being used by another process.
This happens because NETCAP creates and opens files for all supported audit records types on startup, and closes them when packet capture is finished or interrupted. Since it often happens that not all supported protocols appeared in the data stream, NETCAP opens the audit record files after closing again, to check if they are empty (=only contain the NETCAP header), and if so, removes the empty audit record files.
Unfortunately, windows does not allow closing and opening a file from the same process within such small time interval, which leads to the shown error. As a consequence, empty audit record files are not removed automatically on windows.
If you know a workaround for this, please let me know.