Article ID: 924037 - Last Review: October 11, 2007 - Revision: 1.4

How to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information

View products that this article applies to.

On This Page

Expand all | Collapse all

INTRODUCTION

This article describes how to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information on source and destination computers. You can use this information to troubleshoot performance issues that you may experience during the file copy process.
Back to the top

MORE INFORMATION

Several factors affect network file copy performance. To identify the root cause of a problem and to identify the computer that is adversely affecting file copy performance, collect simultaneous network traces on source and destination computers.

You can capture network traffic by running the Netcap.exe utility at a command prompt. The Netcap.exe utility is installed when you install the support tools that are included with Microsoft Windows XP. For more information about how to install support tools, click the following article number to view the article in the Microsoft Knowledge Base:
306794  (http://support.microsoft.com/kb/306794/ ) How to install the Support Tools from the Windows XP CD-ROM

You must use the full Network Monitor interface to open the resulting capture files (.cap). Network Monitor is included with the following products:
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003
  • Microsoft Windows XP
  • Microsoft Systems Management Server (SMS)
The Netcap.exe utility includes capture features that resemble those in Network Monitor. However, the Netcap.exe utility is run at a command prompt. When you first run the Netcap.exe program, it installs the Network Monitor driver and binds it to all network adapters.
Back to the top

Command syntax for the Netcap.exe utility

Usage: 
Netcap.exe [/B:Number] [/T  Type  Buffer  HexOffset  HexPattern  ]
                   [/F:Filter file.cf] [/C:Capture file] [/N:Number]
                   [/L:HH:MM:SS] [/TCF:Folder name]

 Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF

 /B:Number           Specifies the buffer size in megabytes (MB). Number may be a value from 1 to 1000. 
                     The default size is 1 MB.   

 /T                  Specifies the use of a trigger to determine when to stop capturing. If the trigger is omitted, 
                     the Netcap.exe utility captures data until the buffer is full and then stops. The "/T /N" option 
                     captures until the spacebar is pressed. This option uses the buffer as a queue. If the buffer 
                     becomes full, the utility overwrites the oldest entries. 

                     Note: If you use the  "/T /N" option,  press the spacebar to stop capturing.

        Type         B  = buffer,  P  = pattern,  BP  = buffer then pattern,
                     PB  = pattern then buffer,  N  = no trigger

        Buffer       Percent buffer size ('25', '50', '75', '100') is used together with
                     B, BP, or PB (not P).

        HexOffset    Hexadecimal offset from start of frame is used together with P, BP, or PB (not B). 

        HexPattern   Hexadecimal pattern to match is used together with P, BP, or PB (not B).
                     The pattern must be an even number of hexadecimal digits.

 /C:Capture file     Move temporary capture to a full path or to a file name.
                     This entry can be any valid local or remote path.
                     If the "/C" option is not specified, the capture file remains
                     in the default temporary capture folder.

 /F:Filter file.cf   A Network Monitor 2.x-generated capture filter (*.cf).

 /L:HH:MM:SS         Capture for set time. (The maximum time = 99:99:99.)
                     Note:  This option overrides the default 100 percent trigger
                     unless the "/T trigger type " option is also specified.

 /TCF:Folder name    Permanently changes the temporary capture folder.
                     Warning: The path must be on a fixed local hard disk drive.
                     As soon as the path is set, you only have to use the switch again
                     to change the directory.

 /Remove             Removes the Netcap.exe instance of the Network Monitor driver.

 /N:Number           Network adapter index number for this computer.
To capture network traces on source and destination computers, follow these steps:
  1. On the source computer, click Start, click Run, type cmd, and then click OK.
  2. At the command prompt, type the following command:
    netcap /n:1 /b:150 /c:c:\Source.cap
    Notes
    • In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Source.cap.
    • To find the network adapter index number, type netcap /?. Under the syntax information, you can see a list of the network adapters that are installed on the computer. Select the correct network adapter to capture network traffic. For example, if you want to capture traffic for local area connection 2 on a computer that uses the following network adapters, use index number 1:
      Use the following index numbers for these adapters:
 (default) 0 = ETHERNET (2C3D20524153) WAN (PPP/SLIP) Interface
           1 = ETHERNET (000039139635) Local Area Connection 2
           2 = ETHERNET (0000390E118E) Local Area Connection
    • If the client computer accesses the destination file server over a virtual private network (VPN) connection, the virtual interface that is created on the client computer must be monitored to see file copy traffic.
  3. On the destination computer, type the following command at a command prompt, and then press ENTER:
    netcap /n:1 /b:150 /c:c:\Destination.cap
    Notes
    • In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Destination.cap.
    • Make sure that you select the correct network adapter index number.
  4. On the source computer, type the following command at a command prompt, and then press ENTER:
    ping –n 15 Destination_IP_address
    Note The IP address is the starting point for the network trace.
  5. On the source computer, type the following command at a command prompt, and then press ENTER:
    net use * \\server\share
    Note Server is the name of the server where the file is stored. Share is the name of the file share.
  6. On the source computer, type the following command at a command prompt, and then press ENTER:
    Copy File_name Drive_letter:
  7. After the file copy process is complete, type the following command at a command prompt on the source computer:
    ping –n 15 Destination_IP_address
    Note This IP address is the end point for network trace.
  8. Press SPACEBAR to stop capturing network traffic.
  9. Send the following information to Microsoft Product Support Services (PSS):
    • The Source.cap file from the source computer.
    • The Destination.cap file from the destination computer.
    • The name of the file that you copied in step 6.
    • The IP addresses of the source and destination computers.
Back to the top

MORE INFORMATION

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
310875  (http://support.microsoft.com/kb/310875/ ) Description of the Network Monitor Capture Utility
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional Edition
Back to the top
Keywords: 
kbhowto KB924037
Back to the top
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations