How to use the Network Monitor Capture Utility (Netcap.exe) to capture network traffic information
You can capture network traffic by running the Netcap.exe utility at a command prompt. The Netcap.exe utility is installed when you install the support tools that are included with Microsoft Windows XP. For more information about how to install support tools, click the following article number to view the article in the Microsoft Knowledge Base:
You must use the full Network Monitor interface to open the resulting capture files (.cap). Network Monitor is included with the following products:
- Microsoft Windows 2000 Server
- Microsoft Windows Server 2003
- Microsoft Windows XP
- Microsoft Systems Management Server (SMS)
Command syntax for the Netcap.exe utility
Usage: Netcap.exe [/B:Number] [/T Type Buffer HexOffset HexPattern ] [/F:Filter file.cf] [/C:Capture file] [/N:Number] [/L:HH:MM:SS] [/TCF:Folder name] Example: NetCap /B:20 /N:2 /T BP 100 0a ff1f /F:d:\IPFilter.CF /B:Number Specifies the buffer size in megabytes (MB). Number may be a value from 1 to 1000. The default size is 1 MB. /T Specifies the use of a trigger to determine when to stop capturing. If the trigger is omitted, the Netcap.exe utility captures data until the buffer is full and then stops. The "/T /N" option captures until the spacebar is pressed. This option uses the buffer as a queue. If the buffer becomes full, the utility overwrites the oldest entries. Note: If you use the "/T /N" option, press the spacebar to stop capturing. Type B = buffer, P = pattern, BP = buffer then pattern, PB = pattern then buffer, N = no trigger Buffer Percent buffer size ('25', '50', '75', '100') is used together with B, BP, or PB (not P). HexOffset Hexadecimal offset from start of frame is used together with P, BP, or PB (not B). HexPattern Hexadecimal pattern to match is used together with P, BP, or PB (not B). The pattern must be an even number of hexadecimal digits. /C:Capture file Move temporary capture to a full path or to a file name. This entry can be any valid local or remote path. If the "/C" option is not specified, the capture file remains in the default temporary capture folder. /F:Filter file.cf A Network Monitor 2.x-generated capture filter (*.cf). /L:HH:MM:SS Capture for set time. (The maximum time = 99:99:99.) Note: This option overrides the default 100 percent trigger unless the "/T trigger type " option is also specified. /TCF:Folder name Permanently changes the temporary capture folder. Warning: The path must be on a fixed local hard disk drive. As soon as the path is set, you only have to use the switch again to change the directory. /Remove Removes the Netcap.exe instance of the Network Monitor driver. /N:Number Network adapter index number for this computer.To capture network traces on source and destination computers, follow these steps:
- On the source computer, click Start, click Run, type cmd, and then click OK.
- At the command prompt, type the following command:netcap /n:1 /b:150 /c:c:\Source.capNotes
- In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Source.cap.
- To find the network adapter index number, type netcap /?. Under the syntax information, you can see a list of the network adapters that are installed on the computer. Select the correct network adapter to capture network traffic. For example, if you want to capture traffic for local area connection 2 on a computer that uses the following network adapters, use index number 1:
Use the following index numbers for these adapters: (default) 0 = ETHERNET (2C3D20524153) WAN (PPP/SLIP) Interface 1 = ETHERNET (000039139635) Local Area Connection 2 2 = ETHERNET (0000390E118E) Local Area Connection
- If the client computer accesses the destination file server over a virtual private network (VPN) connection, the virtual interface that is created on the client computer must be monitored to see file copy traffic.
- On the destination computer, type the following command at a command prompt, and then press ENTER:netcap /n:1 /b:150 /c:c:\Destination.capNotes
- In this example, the Netcap.exe utility captures traffic that is located on network adapter index number 1. The capture buffer is 150 MB. The capture file is saved as C:\Destination.cap.
- Make sure that you select the correct network adapter index number.
- On the source computer, type the following command at a command prompt, and then press ENTER:ping –n 15 Destination_IP_addressNote The IP address is the starting point for the network trace.
- On the source computer, type the following command at a command prompt, and then press ENTER:net use * \\server\shareNote Server is the name of the server where the file is stored. Share is the name of the file share.
- On the source computer, type the following command at a command prompt, and then press ENTER:Copy File_name Drive_letter:
- After the file copy process is complete, type the following command at a command prompt on the source computer:ping –n 15 Destination_IP_addressNote This IP address is the end point for network trace.
- Press SPACEBAR to stop capturing network traffic.
- Send the following information to Microsoft Product Support Services (PSS):
- The Source.cap file from the source computer.
- The Destination.cap file from the destination computer.
- The name of the file that you copied in step 6.
- The IP addresses of the source and destination computers.
Id. de artículo: 924037 - Última revisión: 10/11/2007 02:12:29 - Revisión: 1.4
- kbhowto KB924037