Hello all Networking Blog readers. My name is Brett Crane and I am an engineer with the Networking Teams here at Microsoft. I wanted to take a minute to show you a quick way to utilize Network Monitor to perform Sequential, or also called Circular, captures for troubleshooting issues. This is particularly useful when you can’t dictate when the networking communications you are looking for are going to happen. This method of troubleshooting has been available via GUI configurations using other network traffic capture utilities but has been, and currently is, only available through the command line options provided with Network Monitor.
(NMCap is a tool that is installed when you install Network Monitor 3.x. This is a command line based tool that provides great a bit of functionality. As time goes by you will find more postings on other uses this tool can provide.)
As said before, the goal of this discussion is to describe how to collect a sequential trace. What I mean by that is that you set Netmon to create a trace that only grows so large… 200MB for example. Once the capture has grown to 200MB it will close the current file and create a new one. That file will grow up to 200MB and then create another file. This will provide you the ability to go back and review your files and look to see if the date/time stamp matches the date/time of when your possible problem may have occurred. Having this information helps because you can delete the trace files that you know do not meet your criteria. If you were to just start a trace file and walk away it could easily fill your hard drive or become so large that it will become too much of a burden to be open or parsed in a timely fashion.
(Actual file size is adjustable and is dictated by the user entering the command. Based on your needs it could be 1500B or larger. The upper limit on the file size is 500MB. If you do not dictate a size it will default to 20MB. Please make sure you check available disk space as this process could easily fill your entire drive if not monitored properly.)
To utilize NMCap to collect the sequential captures you will need to install Network Monitor 3.x. (For download and installation information please look back at our other postings: http://blogs.technet.com/networking/archive/tags/Network+Monitor/default.aspx)
Once Network Monitor is installed, open a command prompt and use the following command line statement:
NMCap: The application used to provide command line statements. It is a lighter weight application, takes fewer resources, and is more flexible.
/Network: Selects one or more space delimited network adapters to capture from. Adapters may be specified using their index, partial name with wild *, or quoted friendly name. (If you are uncertain of the Network adapters name you want to trace from you can find it using the NMCap /displayNetwork command)
/Capture: Saves frames that pass the frame filter to the specified capture files. Think of this as the start command for Network Monitor.
/File: The command after this switch will be what you are wanting to name the trace file. By following up this command with a “:” and a size, you will set the size in which each file will grow to be prior to stopping and starting the next file. Each new file will be noted by an incrementing number notation.
– In the example given above we used the file name test.chn. The extension chn stands for Chain. By using this extension in the filename we are telling NMCap to start the next file in the chain when we reach the stated size (200MB in the example). If you utilize the .cap extension in the filename of the format used above it will not create a new file. It will just cap off the file at the stated size then overwrite older data. By using the .cap file extension you will NOT accomplish the goal of multiple file creation!
– Keep in mind, as with all command line statements, the file will save in the current directory (e.g. from above: the file will be stored on the C:\ drive).
– There are many useful advanced filters that can also be used during the process of capturing Sequential/Circular Trace files (E.g.: /RecordFilters; /RecordConfig). For more information on commands of these sorts please refer to the Help for NMCap. (Help for NMCap can be accessed by running the following command in your CMD window: nmcap /?)
To stop your Capture process:
Once you feel the tracing has run long enough to capture what you are looking for, you will need to stop NMCap from continuing to create your trace files. To do this correctly all you will need to do is make sure that your Command Prompt window that you have opened and running the sequential traces on is the focus on your machine and hit Ctrl+C. Keep in mind that if you close the window you started tracing in, or log off, you will stop the tracing process.
*Note: There are advanced methods that can stop the tracing based on different variables such as Date/Time, for example. More information on these methods can be found in the Help for NMCap. (Help for NMCap can be accessed by running the following command in your CMD window: nmcap /?)
So, that’s all there is to it! Now you can let your traces run, checking back often and deleting the files that you know do not contain any relevant information!
(For more detailed information on using nmcap you can also refer to this link: http://blogs.technet.com/netmon/archive/2006/10/24/nmcap-the-easy-way-to-automate-capturing.aspx)
– Brett Crane