|
How can I
capture network traffic in Windows XP or
Windows Server 2003?
Windows XP
and Windows Server 2003 introduce a new
utility called NETCAP.EXE which acts
like a command prompt version of the GUI
Network Monitor tool.
Netcap
provides capture abilities only from a
command prompt; to open the resulting
capture (.cap) files, you must use the
full Network Monitor interface.
Netcap is
installed when you install the Support
tools that are on the Windows XP CD-ROM.
For additional information about how to
install these tools, see
306794. Network Monitor is provided
with Windows Server products and
Microsoft Systems Management Server
(SMS).
Netcap
provides capture abilities that are
similar to the version of Network
Monitor that is included with the
Windows Server products; however, you
must use Netcap at a command prompt.
Netcap installs the Network Monitor
driver and binds it to all adapters when
you first run the Netcap command.
The
following commands are sample Netcap
commands:
To capture
traffic on NIC 1 BY using a 10 megabyte
(MB) buffer, use the following command:
netcap
/n:1 /b:10
Netcap
typically stops capturing when the
buffer is full. To capture traffic with
"First In First Out" (FIFO) buffering,
which is the default for Network
Monitor, you can use the following
command:
netcap
/t n
Note that
if you want to stop the capture, press
the SPACEBAR.
To capture
traffic for one hour by using a 1-MB
FIFO buffer, use the following command:
netcap
/L:01:00:00
To remove
the Network Monitor driver, use the
following command:
netcap
/remove
Capture
files that you create by using Netcap
are placed in the UserProfile\Local
Settings\Temp folder, by default, where
UserProfile is the name of the user
profile. You can change the default
folder by using either the /c or /tcf
switches. |
