Windows Server 2008 : Using Network Monitor and nmcap - Using nmcap to Capture Traffic, Automatically Starting, Stopping, and Terminating nmcap

Using nmcap to Capture Traffic

When you install Network Monitor, you also install the command-line tool called nmcap. You can use nmcap to start and stop captures, and it includes a rich set of switches to control the capture.

Tip

Due to the overhead of the GUI of Network Monitor, Microsoft does not recommend using it on production systems. Instead, Microsoft recommends using nmcap to minimize the effect on system resources.

The basic syntax to start a capture is

nmcap /network * | adapter-name /file filename.cap:size

For example, if you want to start a capture on all adapters for a system, save the capture to a file named dc1cap.cap, and limit the size to 10 MB, you can use the following command:

nmcap /network * /capture /file dc1cap.cap:10mb

The following listing shows what you see as the capture runs:

c:\>nmcap /network * /capture /file dc1cap.cap:10mb
Network Monitor Command Line Capture (nmcap) 3.4.2350.0
Saving info to: c:\\dc1cap.cap - using circular buffer of size
10.00 MB.

ATTENTION: Conversations Disabled: Some filters require
conversations and will not work correctly (see Help for details)

ATTENTION: Process Tracking Disabled: Use /CaptureProcesses to
enable (see Help for details)
Note: Process Filtering Disabled.

Exit by Ctrl+C

Capturing | Received: 12 Pending: 0 Saved: 12 Dropped: 0 |
Time: 27 seconds.

Files captured this way can be opened by typing in the name of the file (such as dc1cap.cap) at the command prompt. Because .cap is associated with Network Monitor, this launches Network Monitor and opens the capture within it. You can also open Network Monitor and browse to the capture file as shown previously.

The previous command runs the capture on all available NICs; however, you can choose just a single NIC if desired. First, you can view a list of available network cards with the /displaynetworks switch as shown in the following listing.

c:\>nmcap /displaynetworks
Network Monitor Command Line Capture (nmcap) 3.4.2350.0
0. Local Area Connection (Intel 21140-Based PCI Fast Ethernet
Adapter)
1. NDISWANBH (WAN Miniport)

If you want to run the command on only the NIC named Local Area Connection, use the number 0 with the /network switch like the following:

nmcap /network 0 /capture /file dc1cap.cap:10mb

Automatically Starting, Stopping, and Terminating nmcap

nmcap has some switches to start at a certain time, stop after a period of time, or terminate based on certain conditions. The following table shows some of the uses.

Start, Stop, and Terminate Commands	Comments
Start the capture at a specific time. /startwhen /time hh:mm:ss xm mm/dd/yyyy c:\>nmcap /network * /capture /file dc1cap.cap:10mb /startwhen /time 11:00:00 am 01/30/2011	You can specify a time when you want the capture to start by combining the /startwhen and /time switches. You specify the time of day by including am or pm. The example starts the capture at 11 AM on January 30, 2011. Note You can also use /timeafter to start the capture after a certain amount of time, as shown in the following example.
Stop the capture after a specific amount of time. /stopwhen /timeafter number-of-minutes min /stopwhen /timeafter number-of-minutes min c:\>nmcap /network * /capture /file dc1cap.cap:10mb /startwhen /timeafter 5 min /stopwhen /timeafter 30 min	When you use the /startwhen/stopwhen switch, you can also use the switch. The example causes the capture to start after 5 minutes, and then stop after 30 minutes. Note The /stopwhen/startwhen/terminatewhen switch does not terminate the program if the switch has not been used. However, you can use the switch by itself. Tip You can also use hoursmins. instead of
Terminate a capture. /terminatewhen [/keypress key /timeafter number-of-minutes min] c:\>nmcap /network * /capture /file dc1cap.cap:10mb /terminatewhen /keypress q c:\>nmcap /network * /capture /file dc1cap.cap:10mb /terminatewhen /timeafter 30 min c:\>nmcap /network * /capture /file dc1cap.cap:10mb /terminatewhen /keypress q /timeafter 30 min c:\>nmcap /network * /capture /file dc1cap.cap:10mb /terminatewhen q /timeafter 30 min /keypress	You can use the /terminatewhen switch to cause the capture to stop after a specific key is pressed, a time has passed, or both. When using both the /timeafter and /keypress switches in the same command, both conditions must occur and in the correct order. For example, in the third example (/keypress q /timeafter 30 min) the capture stops 30 minutes after the q key is pressed. In the fourth example (/timeafter 30 min /keypress q) the capture stops after 30 minutes have passed and then the user presses the q key.

Start, Stop, and Terminate Commands

Comments

Start the capture at a specific time.

/startwhen /time hh:mm:ss xm
mm/dd/yyyy
c:\>nmcap /network * /capture /file
dc1cap.cap:10mb /startwhen /time
11:00:00 am 01/30/2011

You can specify a time when you want the capture to start by combining the /startwhen and /time switches. You specify the time of day by including am or pm. The example starts the capture at 11 AM on January 30, 2011.

Note

You can also use /timeafter to start the capture after a certain amount of time, as shown in the following example.

Stop the capture after a specific amount of time.

/stopwhen /timeafter number-of-minutes min /stopwhen /timeafter number-of-minutes min
c:\>nmcap /network * /capture
/file dc1cap.cap:10mb /startwhen
/timeafter 5 min /stopwhen
/timeafter 30 min

When you use the /startwhen/stopwhen switch, you can also use the switch. The example causes the capture to start after 5 minutes, and then stop after 30 minutes.

Note

The /stopwhen/startwhen/terminatewhen switch does not terminate the program if the switch has not been used. However, you can use the switch by itself.

Tip

You can also use hoursmins. instead of

Terminate a capture.

/terminatewhen [/keypress key
/timeafter number-of-minutes min]
c:\>nmcap /network * /capture /file
dc1cap.cap:10mb /terminatewhen
/keypress q
c:\>nmcap /network * /capture /file
dc1cap.cap:10mb /terminatewhen
/timeafter 30 min
c:\>nmcap /network * /capture /file
dc1cap.cap:10mb /terminatewhen
/keypress q /timeafter 30 min
c:\>nmcap /network * /capture /file
dc1cap.cap:10mb /terminatewhen q
/timeafter 30 min /keypress

You can use the /terminatewhen switch to cause the capture to stop after a specific key is pressed, a time has passed, or both.

When using both the /timeafter and /keypress switches in the same command, both conditions must occur and in the correct order.

For example, in the third example (/keypress q /timeafter 30 min) the capture stops 30 minutes after the q key is pressed.

In the fourth example (/timeafter 30 min /keypress q) the capture stops after 30 minutes have passed and then the user presses the q key.