Windows Tip Sheet
Capture That Wild Packet
Use pigs to find truffles and use Netcap to do quick and dirty packet captures.
- By Jeffery Hicks
I know there are many packet capturing tools, including some terrific open source products. But for real simplicity, and the cost is right, there's the command line version of Network Monitor, also called Netcap.exe.
Netcap.exe is part of Windows Support Tools. The only other step you have to take to use it is to install the Network Monitor driver and bind it to the network card you'll be capturing.
Before you can capture, you need to know the adapter number. At the command prompt type netcap /?. At the end of the help screen you'll see the available adapters and their respective numbers. Let's assume it is 4, since that's what it is for me and it makes my examples easier.
You can capture traffic until the specified buffer is full, when some trigger is met or after a given period of time. You can stop the capture at any time. By default, captures are stored in your temp directory with a temporary file name. I prefer to use the /C switch and specify a file.
Normally, I'm only capturing packets while I'm monitoring or working out some problem. Because Netcap will stop if its default 1MB buffer is met, I always reset it to at least 10MB. (The max is 1000MB.) When I'm ready to go, I open a command prompt and type:
netcap /n:4 /c:e:\temp\webtrace.cap /b:10
Once I'm done with my testing, I go back to the command prompt and press the space bar to stop the capture. Because I installed Network Monitoring tools when I installed the driver, I can double click my capture file and it will open in the Network Monitor application.
Yes, I know I could have just used the application and be done. But I can get it started faster from the command line. Plus, if I'm troubleshooting an application or a script, I can combine it with Netcap in a batch file. This way, I can kick off the network trace and immediately follow it with a script. In the batch file I use Start Netcap in a separate window, wait a second, then launch the script:
start netcap /b:10 /n:4 /c:e:\temp\test1.cap /L:00:00:10
cscript s:\wmiosinfo.vbs dc01
As written, the capture will only run for 10 seconds, but I can end it prematurely if the script finishes before then.
Tech HelpJust An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Again, there are plenty of great packet capture tools out there and you should have at least one. But Netcap's simplicity and ease of use is pretty hard to beat for quick and dirty work.
Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at Petri.com, and a frequent speaker at technology conferences and user groups.