Windows Server 2008 : Using Network Monitor and nmcap – Adding Filters to nmcap, Enabling Promiscuous Mode in nmcap

Adding Filters to nmcap

You can filter the nmcap capture based on protocols, ports, IP addresses, and MAC or Ethernet addresses. The following table shows some common uses with these filters.

Filtering Traffic Commands Comments
Capture traffic based on specific protocols.

/capture protocol-list
nmcap /network * | adapter-name
filter-protocol /file filename.
C:\>nmcap /network * /capture icmp
/file dccap.cap:10mb
C:\>nmcap /network * /capture ldap
/file dccap.cap:10mb
C:\>nmcap /network * /capture !ldap
/file dccap.cap:10mb
C:\>nmcap /network * /capture (ldap
and icmp and dns)  /file dccap.

You can add protocols to filter in the nmcap/capture switch. after the

The first example captures only ICMP traffic and ignores all other traffic. The second example captures only LDAP traffic. The third example captures all traffic except for LDAP traffic.


The ! character is used as a Boolean NOT character. In other words, if you want to capture LDAP traffic, use ldap as the filter. If you want to capture everything but LDAP, use !ldap (read as NOT ldap).

The fourth example captures all LDAP, ICMP, and DNS traffic. You can use as many Boolean ANDs in the filter as desired. For example, it can be ldap and icmp and ftp, and so on.

Capture traffic based on a specific port.

/capture tcp|udp.port==port-number
C:\>nmcap /network * /capture
tcp.port==80 /file dccap.cap:10mb
C:\>nmcap /network * /capture
udp.port==53 /file dccap.cap:10mb
C:\>nmcap /network * /capture
(tcp.port==80 and udp.port==53)
/file dccap.cap:10mb

You can specify traffic to capture based on the TCP or UDP port used. The first example captures traffic using TCP port 80, the second example captures traffic using UDP port 53, and the third example captures traffic from both TCP port 80 and UDP port 53.


The == is two equal symbols put together.

Capture traffic based on IP addresses.

/capture ipv4.address==IP-address
C:\>nmcap /network * /capture
ipv4.address== /file

You can add a filter for specific IP addresses. The example captures only traffic to or from the system with the IPv4 address of
Capture traffic based on MAC addresses.

/capture ipv4.address==IP-address
C:\> nmcap /network * /capture
/file dccap.cap:10mb

You can also filter based on Ethernet addresses (also called MAC addresses or physical addresses). The example captures only traffic to and from the system with the specified MAC address.

Enabling Promiscuous Mode in nmcap

By default, Network Monitor and nmcap capture only traffic sent directly to or coming from the local IP address and broadcast traffic. However, you frequently want to be able to capture all traffic that reaches the NIC. To do so, you need to enable promiscuous mode, or P-Mode, with the /disablelocalonly switch.

Enabling Promiscuous Mode with nmcap Comments
Enable Promiscuous Mode.

C:\>nmcap /network * /capture /file
dc3cap.cap:10mb /disablelocalonly

Disables local-only capture, which enables promiscuous mode, or P-Mode. All frames that reach the network cards are captured regardless of their source and destination IP addresses.