Dumpcap is the part of the wireshark suite that captures packets. Unlike Wireshark and tshark, dumpcap cannot see non-physical interfaces like extcap interfaces. tshark has most of the same flags that dumpcap has because tshark calls dumpcap for much of its capture functionality.
Under high loads, there is some evidence that tshark drops more packets than dumpcap; however, these results are taken from a single machine (i.e. n=1).
For normal traffic loads, the choice of using tshark vs dumpcap should depend on which flags you want to use.
There are a couple of dumpcap (not tshark) flags that can be used to limit resource usage.
Wireshark and dumpcap will generate a temporary file if you do not specify an output file. This is how it is able to do 2-pass analysis: It has access to a file that it can operate on. tshark will generate this file too, but won’t tell you where it is.
Specifying the save file with
-w $file is faster than creating and searching for a temp file.