Description of the Network Monitor Capture Utility

Support for Windows XP has ended

Microsoft ended support for Windows XP on April 8, 2014. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article was previously published under Q310875
This article has been archived. It is offered "as is" and will no longer be updated.
This article describes how to use the Network Monitor Capture Utility (Netcap.exe) that you can use to capture network traffic in Network Monitor.
Netcap provides capture abilities only from a command prompt; to open the resulting capture (.cap) files, you must use the full Network Monitor interface.

Netcap is installed when you install the Support tools that are on the Windows XP CD-ROM.

For additional information about how to install these tools, click the article number below to view the article in the Microsoft Knowledge Base:
306794 How to Install the Support Tools from the Windows XP CD-ROM
Network Monitor is provided with Windows Server products and Microsoft Systems Management Server (SMS).

Netcap provides capture abilities that are similar to the version of Network Monitor that is included with the Windows Server products; however, you must use Netcap at a command prompt. Netcap installs the Network Monitor driver and binds it to all adapters when you first run the Netcap command.

The full syntax for Netcap is the following syntax:
 Usage: NetCap.exe [/B:#] [/T <Type> <Buffer> <HexOffset> <HexPattern>]                   [/F:<>] [/C:<capture file>] [/N:#]                   [/L:HH:MM:SS] [/TCF:<Folder Name>] Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF /B:# - Buffer, capture size to take, from 1MB to 1000MB default is 1Mb /T   - Trigger, stop capturing when the given buffer and/or pattern is reached        If no trigger is given, the capture will stop when the buffer is full        Use "/T N" to continue capturing even if the buffer fills        Oldest frames in capture will be over written once the buffer is full        Note: With "/T N" you will have to hit space bar to stop capturing       <Type>      - 'B' = buffer, 'P' = Pattern, 'BP' = Buffer then Pattern,                     'PB' = Pattern then Buffer 'N' = No Trigger       <Buffer>    - % Buffer Size '25', '50', '75', '100' used with                     B, BP, PB (NOT P)       <HexOffset> - Hex Offset from start of frame used with P, BP, PB (NOT B)       <HexPattern>- Hex Pattern to match used with P, BP, PB (NOT B)                     The Pattern must be an even number of hex digits /C:<Capture File> - Move temporary capture to full path and/or file name                     This can be any valid local or remote path                     If "/C" is not specified the capture file will remain                     in the default temporary capture folder /F:<>- A Network Monitor 2.x generated capture filter (*.cf) /L:<HH:MM:SS>     - Capture for given amount of time (max 99:99:99)                     Note: This option overrides the default 100% trigger                     unless "/T <trigger type>" is also specified /TCF:<Folder Name>- Permanently changes the temporary capture folder                     Warning the path must be on a fixed local hard drive                     Once set you only need to use the switch again                     to change the directory /Remove           - Removes the NetCap instance of the Network Monitor driver /N:<#>            - NIC Index number, for this computer					
To determine the network interface card (NIC) index number, you can use the netcap /? command. Under the syntax information, you can view a list of the adapters that are installed on the computer. From this list, you can select the correct adapter for capture. For example, if you want to capture traffic for a dial-up connection on a computer with the following adapters, use NIC index 0:
 Use the following index numbers for these adapters: (default) 0 = ETHERNET (2C3D20524153) WAN (PPP/SLIP) Interface           1 = ETHERNET (000039139635) Local Area Connection 2           2 = ETHERNET (0000390E118E) Local Area Connection					
The following commands are sample Netcap commands:
  • To capture traffic on NIC 1 BY using a 10 megabyte (MB) buffer, use the following command:
    netcap /n:1 /b:10
  • Netcap typically stops capturing when the buffer is full. To capture traffic with "First In First Out" (FIFO) buffering, which is the default for Network Monitor, you can use the following command:
    netcap /t n
    Note that if you want to stop the capture, press the SPACEBAR.
  • To capture traffic for one hour by using a 1-MB FIFO buffer, use the following command:
    netcap /L:01:00:00
  • To remove the Network Monitor driver, use the following command:
    netcap /remove
Capture files that you create by using Netcap are placed in the UserProfile\Local Settings\Temp folder, by default, where UserProfile is the name of the user profile. You can change the default folder by using either the /c or /tcf switches.

For additional information about how to capture network traffic or the concepts or terms that are used in this article, click the article number below to view the article in the Microsoft Knowledge Base:
148942 How to Capture Network Traffic with Network Monitor

Article ID: 310875 - Last Review: 12/07/2015 08:03:48 - Revision: 1.1

Microsoft Windows XP Home Edition, Microsoft Windows XP Professional

  • kbnosurvey kbarchive kbinfo KB310875