You’ve probably heard that netmon3.1 is out, but you might not know that you can easily launch a capture at the command prompt. I find this useful when we’re waiting on a repro, we want a capture, but we don’t know when that’s going to happen. Sure you could set this up in the GUI too, but who wants to do that when it’s as easy as this?
The below will setup a capture on all networks that the system is attached to and wait until I hit ctrl+c (you can see its been a while with no repro). The CHN extension used tells netmon to take multiple captures in a chain (see file syntax). I also put some examples at the bottom so you can see what else you can do. Have fun!
C:\Windows\system32>nmcap /capture /network * /File netmoncap.chn:100M
Netmon Command Line Capture (nmcap) 03.01.0512.0000
Saving info to:
C:\Windows\system32\netmoncap.cap – using chain captures of size 100.00 MB.
ATTENTION: Conversations Enabled: consumes more memory (see Help for details)
Exit by Ctrl+C
Saved Frames: 9232127 Capture Frames: 9438779 (44181 seconds)
Cancelled by user
Final Results : Saved Frames: 722 Capture Frames: 722
C:\Program Files\Microsoft Network Monitor 3>dir netmoncap.cap
Volume in drive C has no label.
Volume Serial Number is FCC3-5AF7
Directory of C:\Program Files\Microsoft Network Monitor 3
02/22/2008 09:06 AM 384,748 netmoncap.cap
1 File(s) 384,748 bytes
0 Dir(s) 16,699,654,144 bytes free
Here’s the breakdown fo the /File syntax:
/File <Capture File>[:<File Size Limit>]
Name of capture file to save frames to. Extensions are used to determine
the behavior of nmcap.
.cap — Netmon 2 capture file
.chn — Series of Netmon 2 capture files: t.cap, t(1).cap, t(2).cap…
<File Size Limit> are optional. It limits the file size of each capture
file generated. Default single capture file size limit is 20M. The
upper bound of the file size limit is 500M. The lower bound of the file
size limit depends on the frame size captured. (Note that the maximal size
of ethernet frames is 1500 Bytes)
The files are circular, so once the size limit is reached, new data will
overwrite older data.
Example Usage: /File t.cap:50M
Some other examples from the NMCAP help:
This example starts capturing network frames that DO NOT contain ARPs, ICMP,
NBtNs and BROWSER frames. If you want to stop capturing, Press Control+C.
nmcap /network * /capture (!ARP AND !ICMP AND !NBTNS AND !BROWSER) /File NoNoise.cap
Starts capturing network frames immediately. All TCP frames that have a source
port or destination port of 80 are saved to the chained capture files named
test.cap, test(1).cap, test(2).cap, … When the user presses the ‘x’ key the
nmcap /network * /capture tcp.port == 80 /file c:\temp\test.chn:6M /stopwhen /keypress x
This example starts capturing network frames that are TCP Continuations. The
capture filter is searching for String "Continuation in TCP Frame Summary
Description. In order to see the complete list of Netmon Properties that are
filterable,type ".Property" in the Netmon Filter UI.
nmcap /network * /capture contains(.Property.Description, \"Continuation\") /File TCPContinuations.cap