Windows Tip Sheet

Capture That Wild Packet

Use pigs to find truffles and use Netcap to do quick and dirty packet captures.

I know there are many packet capturing tools, including some terrific open source products. But for real simplicity, and the cost is right, there's the command line version of Network Monitor, also called Netcap.exe.

Netcap.exe is part of Windows Support Tools. The only other step you have to take to use it is to install the Network Monitor driver and bind it to the network card you'll be capturing.

Before you can capture, you need to know the adapter number. At the command prompt type netcap /?. At the end of the help screen you'll see the available adapters and their respective numbers. Let's assume it is 4, since that's what it is for me and it makes my examples easier.

You can capture traffic until the specified buffer is full, when some trigger is met or after a given period of time. You can stop the capture at any time. By default, captures are stored in your temp directory with a temporary file name. I prefer to use the /C switch and specify a file.

Normally, I'm only capturing packets while I'm monitoring or working out some problem. Because Netcap will stop if its default 1MB buffer is met, I always reset it to at least 10MB. (The max is 1000MB.) When I'm ready to go, I open a command prompt and type:

netcap /n:4 /c:e:\temp\webtrace.cap /b:10

Once I'm done with my testing, I go back to the command prompt and press the space bar to stop the capture. Because I installed Network Monitoring tools when I installed the driver, I can double click my capture file and it will open in the Network Monitor application.

Yes, I know I could have just used the application and be done. But I can get it started faster from the command line. Plus, if I'm troubleshooting an application or a script, I can combine it with Netcap in a batch file. This way, I can kick off the network trace and immediately follow it with a script. In the batch file I use Start Netcap in a separate window, wait a second, then launch the script:

@echo off
start netcap /b:10 /n:4 /c:e:\temp\test1.cap /L:00:00:10
sleep 1
cscript s:\wmiosinfo.vbs dc01

As written, the capture will only run for 10 seconds, but I can end it prematurely if the script finishes before then.

Tech Help—Just An
E-Mail Away

Got a Windows, Exchange or virtualization question or need troubleshooting help? Or maybe you want a better explanation than provided in the manuals? Describe your dilemma in an e-mail to the editors at [email protected]; the best questions get answered in this column and garner the questioner with a nifty Redmond T-shirt.

When you send your questions, please include your full first and last name, location, certifications (if any) with your message. (If you prefer to remain anonymous, specify this in your message, but submit the requested information for verification purposes.)

Again, there are plenty of great packet capture tools out there and you should have at least one. But Netcap's simplicity and ease of use is pretty hard to beat for quick and dirty work.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.

comments powered by Disqus