Using Netcap to Capture Network Traffic

Netcap.exe is a command-line utility that you can use to capture network traffic to a capture file. You can then load the file in Network Monitor to view the captured traffic. The Network Monitor tool does not have to be installed on the computer running Windows Server 2003 to use Netcap. You can also use Netcap on computers running Windows XP, which makes it an extremely attractive way to capture traffic for later review. The tool is available after the Windows Server 2003 Support Tools have been installed. When you first run the command, the Network Monitor driver is automatically installed.

Exam Tip If you need to capture packets on a Windows XP machine, use Netcap.

Table 11-6 describes the syntax used to obtain a capture. Table 11-6 Netcap Syntax




/t: Type Buffer





/L:HH:MM:SS /TCF:FolderName

/Remove /N:Number

Specifies buffer or capture size from 1 MB to 1000 MB with a default of 1 MB.

Informs trigger when to stop the capture, when either the buffer or pattern is reached. The capture stops when the buffer is full if no trigger is defined. /t N can be used to cause the capture to continue when the buffer is full. New frames overwrite the oldest frames. Valid values for the Type parameter are B = buffer; P = pattern; BP = buffer then pattern; PB = pattern then buffer; N = no trigger. Valid values for the Buffer parameter are % Buffer size 25, 50, 75, and 100. This parameter is used with all Type values except P. Valid values for the HexOffset parameter are hex offset from start of frame used with P, BP, PB, but not B. Valid values for the HexPattern parameter are hex pattern to match. Used with P, BP, PB, but not B. The pattern needs to be an even number of digits.

Specifies a location to which Netcap will move the temporary capture files. This location can be any valid local or remote path. If /C is not specified, the capture path remains in the default temporary capture folder.

Specifies a filter to use during the capture. A filter file has a .cf extension.

Captures for some amount of time.

Changes temporary capture folder. Path must be on a fixed local hard disk drive.

Removes Netcap instance of the Network Monitor driver. Provides the network interface card (NIC) index number for this computer. 0 = PPP/ SLIP interface. 1 = Local Area Connection 2; 2 = Local Area Connection. Determine the NIC index number using the Netcap /? command. All adapters installed on the local computer will be listed.

The following are two example commands:

Capture the packets received on NIC 2 using a 20-MB buffer:

Capture for one hour:

Netcap /L:01:00:00

Was this article helpful?

0 0
Computer Hard Drive Data Recovery

Computer Hard Drive Data Recovery

Learn How To Recover Your Hard Drive Data After A Computer Failure.

Get My Free Ebook


  • luwam asmara
    How to capture network traffic with Nm cap command?
    9 years ago

Post a comment