Article ID: 310875 - View products that this article applies to.
This article was previously published under Q310875
This article describes how to use the Network Monitor Capture Utility (Netcap.exe) that you can use to capture network traffic in Network Monitor.
Netcap provides capture abilities only from a command prompt; to open the resulting capture (.cap) files, you must use the full Network Monitor interface.
Netcap is installed when you install the Support tools that are on the Windows XP CD-ROM.
For additional information about how to install these tools, click the article number below to view the article in the Microsoft Knowledge Base:
306794Network Monitor is provided with Windows Server products and Microsoft Systems Management Server (SMS).
(https://support.microsoft.com/kb/306794/EN-US/ )How to Install the Support Tools from the Windows XP CD-ROM
Netcap provides capture abilities that are similar to the version of Network Monitor that is included with the Windows Server products; however, you must use Netcap at a command prompt. Netcap installs the Network Monitor driver and binds it to all adapters when you first run the Netcap command.
The full syntax for Netcap is the following syntax:
To determine the network interface card (NIC) index number, you can use the netcap /? command. Under the syntax information, you can view a list of the adapters that are installed on the computer. From this list, you can select the correct adapter for capture. For example, if you want to capture traffic for a dial-up connection on a computer with the following adapters, use NIC index 0:
Usage: NetCap.exe [/B:#] [/T <Type> <Buffer> <HexOffset> <HexPattern>] [/F:<filterfile.cf>] [/C:<capture file>] [/N:#] [/L:HH:MM:SS] [/TCF:<Folder Name>] Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF /B:# - Buffer, capture size to take, from 1MB to 1000MB default is 1Mb /T - Trigger, stop capturing when the given buffer and/or pattern is reached If no trigger is given, the capture will stop when the buffer is full Use "/T N" to continue capturing even if the buffer fills Oldest frames in capture will be over written once the buffer is full Note: With "/T N" you will have to hit space bar to stop capturing <Type> - 'B' = buffer, 'P' = Pattern, 'BP' = Buffer then Pattern, 'PB' = Pattern then Buffer 'N' = No Trigger <Buffer> - % Buffer Size '25', '50', '75', '100' used with B, BP, PB (NOT P) <HexOffset> - Hex Offset from start of frame used with P, BP, PB (NOT B) <HexPattern>- Hex Pattern to match used with P, BP, PB (NOT B) The Pattern must be an even number of hex digits /C:<Capture File> - Move temporary capture to full path and/or file name This can be any valid local or remote path If "/C" is not specified the capture file will remain in the default temporary capture folder /F:<filterfile.cf>- A Network Monitor 2.x generated capture filter (*.cf) /L:<HH:MM:SS> - Capture for given amount of time (max 99:99:99) Note: This option overrides the default 100% trigger unless "/T <trigger type>" is also specified /TCF:<Folder Name>- Permanently changes the temporary capture folder Warning the path must be on a fixed local hard drive Once set you only need to use the switch again to change the directory /Remove - Removes the NetCap instance of the Network Monitor driver /N:<#> - NIC Index number, for this computer
The following commands are sample Netcap commands:
Use the following index numbers for these adapters: (default) 0 = ETHERNET (2C3D20524153) WAN (PPP/SLIP) Interface 1 = ETHERNET (000039139635) Local Area Connection 2 2 = ETHERNET (0000390E118E) Local Area Connection
For additional information about how to capture network traffic or the concepts or terms that are used in this article, click the article number below to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/148942/EN-US/ )How to Capture Network Traffic with Network Monitor
Article ID: 310875 - Last Review: October 19, 2001 - Revision: 1.1